9.8

CVE-2019-13132

EPSS 23.22%
Published 10.07.2019 19:15:10
Last modified 21.11.2024 04:24:15
Source cve@mitre.org
Teams watchlist Login
Open Login

In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.

Affected products Warnungen 0 Metrics 3 CWE 1 References 18

Data is provided by the National Vulnerability Database (NVD)

Zeromq ≫ Libzmq Version < 4.0.9

Zeromq ≫ Libzmq Version >= 4.1.0 < 4.1.7

Zeromq ≫ Libzmq Version >= 4.2.0 < 4.3.2

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version18.10

Canonical ≫ Ubuntu Linux Version19.04

Fedoraproject ≫ Fedora Version29

Fedoraproject ≫ Fedora Version30

Fedoraproject ≫ Fedora Version31

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	23.22%	0.957

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00033.html

Broken Link

http://www.openwall.com/lists/oss-security/2019/07/08/6

Third Party Advisory

Mailing List

Release Notes

http://www.securityfocus.com/bid/109284

Third Party Advisory

Broken Link

VDB Entry

https://fangpenlin.com/posts/2024/04/07/how-i-discovered-a-9-point-8-critical-security-vulnerability-in-zeromq-with-mostly-pure-luck/

https://github.com/zeromq/libzmq/issues/3558

Third Party Advisory

https://github.com/zeromq/libzmq/releases

Third Party Advisory

Release Notes

https://lists.debian.org/debian-lts-announce/2019/07/msg00007.html

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVCTNUEOFFZUNJOXFCYCF3C6Y6NDILI3/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MK7SJYDJ7MMRRRPCUN3SCSE7YK6ZSHVS/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T6HINI24SL7CU6XIJWUOSGTZWEFOOL7X/

https://news.ycombinator.com/item?id=39970716

https://seclists.org/bugtraq/2019/Jul/13

Third Party Advisory

Mailing List

https://security.gentoo.org/glsa/201908-17

Third Party Advisory

https://usn.ubuntu.com/4050-1/

Third Party Advisory

https://www.debian.org/security/2019/dsa-4477

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-13132

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-13132

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-13132

EUVD