CVE-2008-5398 — TOR vulnerability

CWE-2647 documents7 sources

Severity

9.3CRITICALNVD

EPSS

0.8%

top 25.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Torproject TOR TOR

Timeline

PublishedDec 9

Latest updateMay 17

Description

Tor before 0.2.0.32 does not properly process the ClientDNSRejectInternalAddresses configuration option in situations where an exit relay issues a policy-based refusal of a stream, which allows remote exit relays to have an unknown impact by mapping an internal IP address to the destination hostname of a refused stream.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages2 packages

▶Debiantorproject/tor< 0.2.0.32-1+3

▶NVDtor/tor0.1.2.31+99

Patches

Patch: blog.torproject.org ↗Patch: www.securityfocus.com ↗Patch: blog.torproject.org ↗

🔴Vulnerability Details

GHSA

GHSA-55x8-g885-q727: Tor before 0↗2022-05-17

▶

OSV

CVE-2008-5398: Tor before 0↗2008-12-09

▶

CVEList

CVE-2008-5398: Tor before 0↗2008-12-09

▶

📋Vendor Advisories

Red Hat

tor: does not properly process the ClientDNSRejectInternalAddresses configuration option↗2008-12-04

▶

Debian

CVE-2008-5398: tor - Tor before 0.2.0.32 does not properly process the ClientDNSRejectInternalAddress...↗2008

▶

💬Community

Bugzilla

CVE-2008-5398 tor: does not properly process the ClientDNSRejectInternalAddresses configuration option↗2008-12-09

▶