CVE-2017-8822

low-risk
Published 2017-12-03

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, relays (that have incompletely downloaded descriptors) can pick themselves in a circuit path, leading to a degradation of anonymity, aka TROVE-2017-012.

Do I need to act?

-
0.17% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.7/10 Low
NETWORK / HIGH complexity

Affected Products (3)

Tor

Affected Vendors

Tor Project Debian

References (8)

Vendor Advisory https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02...
Issue Tracking https://bugs.torproject.org/21534
Vendor Advisory https://bugs.torproject.org/24333
Third Party Advisory https://www.debian.org/security/2017/dsa-4054
Vendor Advisory https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02...
Issue Tracking https://bugs.torproject.org/21534
Vendor Advisory https://bugs.torproject.org/24333
Third Party Advisory https://www.debian.org/security/2017/dsa-4054
23
/ 100
low-risk
Severity 13/34 · Low
Exploitability 1/34 · Minimal
Exposure 9/34 · Low