CVE-2015-2689 — Improper Input Validation in TOR

CWE-20 — Improper Input Validation6 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.6%

top 29.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Torproject TOR THE TOR Project TOR

Timeline

PublishedJan 24

Latest updateMay 24

Description

Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly handle pending-connection resolve states during periods of high DNS load, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via crafted packets.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDtorproject/tor0.2.5.1 — 0.2.5.11+1

▶Debiantorproject/tor< 0.2.5.11-1+3

▶CVEListV5the_tor_project/tor0.2.5.x before 0.2.5.11, before 0.2.4.26+1

Patches

Patch: trac.torproject.org ↗Patch: trac.torproject.org ↗

🔴Vulnerability Details

GHSA

GHSA-7r2c-ch3m-w27x: Tor before 0↗2022-05-24

▶

CVEList

CVE-2015-2689: Tor before 0↗2020-01-24

▶

OSV

CVE-2015-2689: Tor before 0↗2020-01-24

▶

📋Vendor Advisories

Debian

CVE-2015-2689: tor - Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly handle pending...↗2015

▶

💬Community

Bugzilla

CVE-2015-2688 CVE-2015-2689 tor: security fixes in 0.2.4.26 and 0.2.5.11↗2015-03-23

▶