CVE-2019-13132
high-risk
Published 2019-07-10
In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.
Do I need to act?
!
27.9% chance of exploitation in next 30 days
EPSS score — higher than 72% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 28625e3479a9f568740674655b4cc61dab9404eb, c9894a493dd4a460d6a109a017609925ce589e31, a84ffa12b2eb3569ced199660bac5ad128bff1f0
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (10)
Affected Vendors
References (30)
Broken Link
http://www.securityfocus.com/bid/109284
Third Party Advisory
https://github.com/zeromq/libzmq/issues/3558
Release Notes
https://github.com/zeromq/libzmq/releases
Mailing List
https://seclists.org/bugtraq/2019/Jul/13
Third Party Advisory
https://security.gentoo.org/glsa/201908-17
Third Party Advisory
https://usn.ubuntu.com/4050-1/
Third Party Advisory
https://www.debian.org/security/2019/dsa-4477
Broken Link
http://www.securityfocus.com/bid/109284
Third Party Advisory
https://github.com/zeromq/libzmq/issues/3558
and 10 more references
63
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
15/34 · Moderate
Exposure
16/34 · Moderate