CVE-2020-8516

medium

Description

The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before attempting to connect to it, which might make it easier for remote attackers to discover circuit information. NOTE: The network team of Tor claims this is an intended behavior and not a vulnerability

References

https://www.hackerfactor.com/blog/index.php?/archives/868-Deanonymizing-Tor-Circuits.html

https://trac.torproject.org/projects/tor/ticket/33129

https://security-tracker.debian.org/tracker/CVE-2020-8516

https://lists.torproject.org/pipermail/tor-dev/2020-February/014147.html

https://lists.torproject.org/pipermail/tor-dev/2020-February/014146.html

Details

Source: Mitre, NVD

Published: 2020-02-02

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00803