CVE-2013-7295TOR vulnerability

CWE-3106 documents6 sources
Severity
4.0MEDIUMNVD
EPSS
0.2%
top 63.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Torproject TOR
Timeline
PublishedJan 17
Latest updateMay 17

Description

Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not properly generate random numbers for (1) relay identity keys and (2) hidden-service identity keys, which might make it easier for remote attackers to bypass cryptographic protection mechanisms via unspecified vectors.

CVSS vector

AV:N/AC:H/C:P/I:P/A:NExploitability: 4.9 | Impact: 4.9

Affected Packages2 packages

Debiantorproject/tor< 0.2.4.20-1+3
NVDtorproject/tor0.2.4.19+18

🔴Vulnerability Details

3
GHSA
GHSA-3x57-m985-pg67: Tor before 02022-05-17
OSV
CVE-2013-7295: Tor before 02014-01-17
CVEList
CVE-2013-7295: Tor before 02014-01-17

📋Vendor Advisories

1
Debian
CVE-2013-7295: tor - Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain Hard...2013

💬Community

1
Bugzilla
CVE-2013-7295 tor: improper random number generation on certain Intel platforms with OpenSSL 1.x2014-01-18
CVE-2013-7295 — Torproject TOR vulnerability | cvebase