Published: 03/06/2015 Updated: 03/01/2017

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

libzmq prior to 4.0.6 and 4.1.x prior to 4.1.1 allows remote malicious users to conduct downgrade attacks and bypass ZMTP v3 protocol security mechanisms via a ZMTP v2 or earlier header.

Vulnerable Product	Search on Vulmon	Subscribe to Product
zeromq zeromq
zeromq zeromq 4.1.0

Debian Bug report logs - #784366 zeromq3: CVE-2014-9721: V3 protocol handler vulnerable to downgrade attacks Package: zeromq3; Maintainer for zeromq3 is Laszlo Boszormenyi (GCS) <gcs@debianorg>; Reported by: John Morris <john@zultroncom> Date: Tue, 5 May 2015 20:03:01 UTC Severity: grave Tags: fixed-upstream, secu ...

It was discovered that libzmq, a lightweight messaging kernel, is susceptible to a protocol downgrade attack on sockets using the ZMTP v3 protocol This could allow remote attackers to bypass ZMTP v3 security mechanisms by sending ZMTP v2 or earlier headers For the stable distribution (jessie), this problem has been fixed in version 405+dfsg-2+d ...

CWE-20 http://www.debian.org/security/2015/dsa-3255 https://github.com/zeromq/libzmq/issues/1273 https://github.com/zeromq/zeromq4-x/commit/b6e3e0f601e2c1ec1f3aac880ed6a3fe63043e51 http://lists.opensuse.org/opensuse-updates/2015-06/msg00018.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159176.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784366 https://www.debian.org/security/./dsa-3255 https://nvd.nist.gov

CVE-2014-9721

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect