CVE-2017-0377 — Sensitive Information Exposure in TOR

CWE-200 — Sensitive Information Exposure CWE-190 — Integer Overflow or Wraparound10 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 35.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Torproject TOR

Timeline

PublishedJul 2

Latest updateMay 17

Description

Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family), which might allow remote attackers to defeat intended anonymity properties by leveraging the existence of large families.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5torproject/torTor

▶NVDtorproject/tor8 versions+7

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-vxgf-qp88-w686: Tor 0↗2022-05-17

▶

CVEList

CVE-2017-0377: Tor 0↗2017-07-02

▶

📋Vendor Advisories

Red Hat

vim: Integer overflow at a u_read_undo memory allocation site↗2017-02-13

▶

Debian

CVE-2017-0377: tor - Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the...↗2017

▶

💬Community

Bugzilla

CVE-2017-0377 tor: improper implementation of guard-selection algorithm could weaken anonymity↗2017-07-04

▶

Bugzilla

CVE-2017-0377 tor: improper implementation of guard-selection algorithm could weaken anonymity [epel-all]↗2017-07-04

▶

Bugzilla

CVE-2017-0377 tor: improper implementation of guard-selection algorithm could weaken anonymity [fedora-all]↗2017-07-04

▶