Main Vulnerability Database Vulnerabilities #VU37869

Input validation error in Tor - CVE-2017-8822

Published: December 3, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU37869

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-8822

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: tor.eff.org

Affected software:
Tor

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, relays (that have incompletely downloaded descriptors) can pick themselves in a circuit path, leading to a degradation of anonymity, aka TROVE-2017-012.

How to mitigate CVE-2017-8822

Install update from vendor's website.

Sources

https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
https://bugs.torproject.org/21534
https://bugs.torproject.org/24333
https://www.debian.org/security/2017/dsa-4054

Input validation error in Tor - CVE-2017-8822

Detailed vulnerability description

How to mitigate CVE-2017-8822

Sources

Please verify you're human