CVE-2011-2768 — TOR vulnerability

CWE-2648 documents6 sources

Severity

5.8MEDIUMNVD

EPSS

0.1%

top 66.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Torproject TOR TOR

Timeline

PublishedDec 23

Latest updateMay 17

Description

Tor before 0.2.2.34, when configured as a client or bridge, sends a TLS certificate chain as part of an outgoing OR connection, which allows remote relays to bypass intended anonymity properties by reading this chain and then determining the set of entry guards that the client or bridge had selected.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages2 packages

▶Debiantorproject/tor< 0.2.2.34-1+3

▶NVDtor/tor0.2.2.33+204

Patches

Patch: blog.torproject.org ↗Patch: blog.torproject.org ↗

🔴Vulnerability Details

GHSA

GHSA-h978-fv3x-h43g: Tor before 0↗2022-05-17

▶

OSV

CVE-2011-2768: Tor before 0↗2011-12-23

▶

CVEList

CVE-2011-2768: Tor before 0↗2011-12-23

▶

📋Vendor Advisories

Debian

CVE-2011-2768: tor - Tor before 0.2.2.34, when configured as a client or bridge, sends a TLS certific...↗2011

▶

💬Community

Bugzilla

CVE-2011-2768 CVE-2011-2769 tor: multiple flaws corrected in 0.2.2.34 [epel-5]↗2011-10-28

▶

Bugzilla

CVE-2011-2768 CVE-2011-2769 tor: multiple flaws corrected in 0.2.2.34 [fedora-all]↗2011-10-28

▶

Bugzilla

CVE-2011-2768 CVE-2011-2769 tor: multiple flaws corrected in 0.2.2.34↗2011-10-28

▶