CVE-2019-6250
Summary
| CVE | CVE-2019-6250 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2019-01-13 15:29:00 UTC |
|---|
| Updated | 2019-04-03 13:38:00 UTC |
|---|
| Description | A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control). |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Remote code execution vulnerability · Issue #3351 · zeromq/libzmq · GitHub |
CONFIRM |
github.com |
Exploit, Patch, Third Party Advisory |
| Debian -- Security Information -- DSA-4368-1 zeromq3 |
DEBIAN |
www.debian.org |
Third Party Advisory |
| Release libzmq 4.3.1 · zeromq/libzmq · GitHub |
CONFIRM |
github.com |
Third Party Advisory |
| ZeroMQ: Code execution (GLSA 201903-22) — Gentoo security |
GENTOO |
security.gentoo.org |
Third Party Advisory |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 500828 Alpine Linux Security Update for zeromq
- 504565 Alpine Linux Security Update for zeromq
- 710185 Gentoo Linux ZeroMQ Code execution Vulnerability (GLSA 201903-22)
