CVE-2017-0377

EUVD-2017-0731
Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family), which might allow remote attackers to defeat intended anonymity properties by leveraging the existence of large families.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 64%
Affected Products (NVD)
VendorProductVersion
torprojecttor
0.3.0.1:alpha
torprojecttor
0.3.0.2:alpha
torprojecttor
0.3.0.3:alpha
torprojecttor
0.3.0.4
torprojecttor
0.3.0.5
torprojecttor
0.3.0.6
torprojecttor
0.3.0.7
torprojecttor
0.3.0.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tor
bookworm
0.4.7.16-1
fixed
bookworm (security)
0.4.7.16-1
fixed
bullseye
0.4.5.16-1
fixed
bullseye (security)
0.4.5.16-1
fixed
sid
0.4.8.13-2
fixed
trixie
0.4.8.13-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tor
artful
ignored
bionic
not-affected
cosmic
not-affected
trusty
not-affected
xenial
not-affected
yakkety
ignored
zesty
ignored
Common Weakness Enumeration
References
https://blog.torproject.org/blog/tor-0309-released-security-update-clients
https://blog.torproject.org/blog/tor-0314-alpha-released-security-update-clients
https://github.com/torproject/tor/commit/665baf5ed5c6186d973c46cdea165c0548027350
https://security-tracker.debian.org/CVE-2017-0377
https://trac.torproject.org/projects/tor/ticket/22753
https://blog.torproject.org/blog/tor-0309-released-security-update-clients
https://blog.torproject.org/blog/tor-0314-alpha-released-security-update-clients
https://github.com/torproject/tor/commit/665baf5ed5c6186d973c46cdea165c0548027350
https://security-tracker.debian.org/CVE-2017-0377
https://trac.torproject.org/projects/tor/ticket/22753