Tor Project Tor vulnerabilities

5 known vulnerabilities affecting tor_project/tor.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH4LOW1

Vulnerabilities

Page 1 of 1
CVE-2017-8819HIGHCVSS 7.5fixed in 0.2.5.16≥ 0.2.6, < 0.2.8.17+3 more2017-12-03
CVE-2017-8819 [HIGH] CVE-2017-8819: In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3 In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, the replay-cache protection mechanism is ineffective for v2 onion services, aka TROVE-2017-009. An attacker can send many INTRODUCE2 cells to trigger this issue.
nvd
CVE-2017-8820HIGHCVSS 7.5fixed in 0.2.5.16≥ 0.2.6, < 0.2.8.17+3 more2017-12-03
CVE-2017-8820 [HIGH] CWE-476 CVE-2017-8820: In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3 In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, remote attackers can cause a denial of service (NULL pointer dereference and application crash) against directory authorities via a malformed descriptor, aka TROVE-2017-010.
nvd
CVE-2017-8823HIGHCVSS 8.1fixed in 0.2.5.16≥ 0.2.6, < 0.2.8.17+3 more2017-12-03
CVE-2017-8823 [HIGH] CWE-416 CVE-2017-8823: In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3 In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, there is a use-after-free in onion service v2 during intro-point expiration because the expiring list is mismanaged in certain error cases, aka TROVE-2017-013.
nvd
CVE-2017-8821HIGHCVSS 7.5fixed in 0.2.5.16≥ 0.2.6, < 0.2.8.17+3 more2017-12-03
CVE-2017-8821 [HIGH] CWE-119 CVE-2017-8821: In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3 In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, an attacker can cause a denial of service (application hang) via crafted PEM input that signifies a public key requiring a password, which triggers an attempt by the OpenSSL library to ask the user for the password, aka TR
nvd
CVE-2017-8822LOWCVSS 3.7fixed in 0.2.5.16≥ 0.2.6, < 0.2.8.17+3 more2017-12-03
CVE-2017-8822 [LOW] CWE-417 CVE-2017-8822: In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3 In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, relays (that have incompletely downloaded descriptors) can pick themselves in a circuit path, leading to a degradation of anonymity, aka TROVE-2017-012.
nvd