Skip to main content

Tor CVE-2017-8820

HIGH
NULL Pointer Dereference (CWE-476)
2017-12-03 security@debian.org
7.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Dec 03, 2017 - 07:29 cve.org
HIGH 7.5

DescriptionCVE.org

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, remote attackers can cause a denial of service (NULL pointer dereference and application crash) against directory authorities via a malformed descriptor, aka TROVE-2017-010.

AnalysisAI

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, remote attackers can cause a denial of service (NULL pointer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as NULL Pointer Dereference (CWE-476), which allows attackers to crash the application by dereferencing a null pointer. In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, remote attackers can cause a denial of service (NULL pointer dereference and application crash) against directory authorities via a malformed descriptor, aka TROVE-2017-010. Affected products include: Tor Project Tor, Debian Debian Linux. Version information: before 0.2.5.16.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Check pointers before dereferencing. Use static analysis tools to detect null pointer paths.

More in Tor

View all
CVE-2017-16541 MEDIUM POC
6.5 Nov 04

Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discove

CVE-2021-38385 HIGH POC
7.5 Aug 30

Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-s

CVE-2018-0491 HIGH POC
7.5 Mar 05

A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. Rated high severity (CVSS 7.5), this vulnerability

CVE-2023-23589 MEDIUM POC
6.5 Jan 14

The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not th

CVE-2020-8516 MEDIUM POC
5.3 Feb 02

The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before att

CVE-2017-8823 HIGH
8.1 Dec 03

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef

CVE-2016-1254 HIGH
7.5 Dec 05

Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden servic

CVE-2016-8860 HIGH
7.5 Jan 04

Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data

CVE-2017-0375 HIGH
7.5 Jun 09

The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the r

CVE-2017-0376 HIGH
7.5 Jun 09

The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the c

CVE-2017-8821 HIGH
7.5 Dec 03

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef

CVE-2017-0377 HIGH
7.5 Jul 02

Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family

Share

CVE-2017-8820 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy