CVE-2017-8822

low

Description

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, relays (that have incompletely downloaded descriptors) can pick themselves in a circuit path, leading to a degradation of anonymity, aka TROVE-2017-012.

References

https://www.debian.org/security/2017/dsa-4054

https://bugs.torproject.org/24333

https://bugs.torproject.org/21534

https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516

Details

Source: Mitre, NVD

Published: 2017-12-03

Updated: 2017-12-21

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 3.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Severity: Low