Permissions, Privileges, and Access Controls in Tor - CVE-2011-2768
Published: December 23, 2011 / Updated: August 11, 2020
Vulnerability identifier: #VU44434
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2011-2768
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: tor.eff.org
Affected software:
Tor
Tor
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Tor before 0.2.2.34, when configured as a client or bridge, sends a TLS certificate chain as part of an outgoing OR connection, which allows remote relays to bypass intended anonymity properties by reading this chain and then determining the set of entry guards that the client or bridge had selected.
How to mitigate CVE-2011-2768
Install update from vendor's website.