Main Vulnerability Database Vulnerabilities #VU37869

#VU37869 Input validation error in Tor - CVE-2017-8822

Published: December 3, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU37869

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-8822

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Tor

Software vendor:
tor.eff.org

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, relays (that have incompletely downloaded descriptors) can pick themselves in a circuit path, leading to a degradation of anonymity, aka TROVE-2017-012.

Remediation

Install update from vendor's website.

External links

https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
https://bugs.torproject.org/21534
https://bugs.torproject.org/24333
https://www.debian.org/security/2017/dsa-4054

#VU37869 Input validation error in Tor - CVE-2017-8822

Description

Remediation

External links

Please verify you're human