5.9

CVE-2017-0380

The rend_service_intro_established function in or/rendservice.c in Tor before 0.2.8.15, 0.2.9.x before 0.2.9.12, 0.3.0.x before 0.3.0.11, 0.3.1.x before 0.3.1.7, and 0.3.2.x before 0.3.2.1-alpha, when SafeLogging is disabled, allows attackers to obtain sensitive information by leveraging access to the log files of a hidden service, because uninitialized stack data is included in an error message about construction of an introduction point circuit.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
TorprojectTor Version <= 0.2.8.14
TorprojectTor Version0.2.9.0
TorprojectTor Version0.2.9.0 Updatealpha
TorprojectTor Version0.2.9.1 Updatealpha
TorprojectTor Version0.2.9.2 Updatealpha
TorprojectTor Version0.2.9.3 Updatealpha
TorprojectTor Version0.2.9.4 Updatealpha
TorprojectTor Version0.2.9.5 Updatealpha
TorprojectTor Version0.2.9.6
TorprojectTor Version0.2.9.8
TorprojectTor Version0.2.9.9
TorprojectTor Version0.2.9.10
TorprojectTor Version0.2.9.11
TorprojectTor Version0.3.0.0
TorprojectTor Version0.3.0.1 Updatealpha
TorprojectTor Version0.3.0.2 Updatealpha
TorprojectTor Version0.3.0.3 Updatealpha
TorprojectTor Version0.3.0.4 Updaterc
TorprojectTor Version0.3.0.5 Updaterc
TorprojectTor Version0.3.0.6
TorprojectTor Version0.3.0.7
TorprojectTor Version0.3.0.8
TorprojectTor Version0.3.0.9
TorprojectTor Version0.3.0.10
TorprojectTor Version0.3.1.1 Updatealpha
TorprojectTor Version0.3.1.2 Updatealpha
TorprojectTor Version0.3.1.3 Updatealpha
TorprojectTor Version0.3.1.4 Updatealpha
TorprojectTor Version0.3.1.5 Updatealpha
TorprojectTor Version0.3.1.6 Updatealpha
TorprojectTor Version0.3.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.54% 0.717
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:P/I:N/A:N
CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

http://www.debian.org/security/2017/dsa-3993
http://www.securitytracker.com/id/1039519
https://github.com/torproject/tor/commit/09ea89764a4d3a907808ed7d4fe42abfe64bd486
Patch
Third Party Advisory
https://trac.torproject.org/projects/tor/ticket/23490
Patch
Vendor Advisory
Mitigation