CVE-2023-23589Protection Mechanism Failure in TOR

CWE-693Protection Mechanism Failure5 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.4%
top 39.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Torproject TORDebian LinuxFedoraproject Fedora
Timeline
PublishedJan 14

Description

The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not the safe SOCKS4a protocol, aka TROVE-2022-002.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages2 packages

NVDtorproject/tor< 0.4.7.13
Debiantorproject/tor< 0.4.5.16-1+3

Also affects: Debian Linux 10.0, 11.0, Fedora 36, 37

Patches

Patch: gitlab.torproject.orgPatch: gitlab.torproject.orgPatch: gitlab.torproject.org

🔴Vulnerability Details

3
CVEList
CVE-2023-23589: The SafeSocks option in Tor before 02023-01-14
GHSA
GHSA-6wqq-m34g-chqp: The SafeSocks option in Tor before 02023-01-14
OSV
CVE-2023-23589: The SafeSocks option in Tor before 02023-01-14

📋Vendor Advisories

1
Debian
CVE-2023-23589: tor - The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsaf...2023
CVE-2023-23589 — Protection Mechanism Failure in TOR | cvebase