CVE-2012-4922 — Improper Input Validation in TOR

CWE-20 — Improper Input Validation6 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

4.2%

top 11.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Torproject TOR

Timeline

PublishedSep 14

Latest updateMay 17

Description

The tor_timegm function in common/util.c in Tor before 0.2.2.39, and 0.2.3.x before 0.2.3.22-rc, does not properly validate time values, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed directory object, a different vulnerability than CVE-2012-4419.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶Debiantorproject/tor< 0.2.3.22-rc-1+3

▶NVDtorproject/tor0.2.2.38+80

🔴Vulnerability Details

GHSA

GHSA-h4mc-jpwx-rjgp: The tor_timegm function in common/util↗2022-05-17

▶

CVEList

CVE-2012-4922: The tor_timegm function in common/util↗2012-09-14

▶

OSV

CVE-2012-4922: The tor_timegm function in common/util↗2012-09-14

▶

📋Vendor Advisories

Debian

CVE-2012-4922: tor - The tor_timegm function in common/util.c in Tor before 0.2.2.39, and 0.2.3.x bef...↗2012

▶

💬Community

Bugzilla

CVE-2012-4419 CVE-2012-4922 tor: assertion failures in tor_timegm() and compare_tor_addr_to_addr_policy()↗2012-09-13

▶