CVE-2017-8821
HIGHTor < 0.2.5.16, 0.2.6-0.2.8 < 0.2.8.17, 0.2.9 < 0.2.9.14, 0.3.0 < 0.3.0.13, 0.3.1 < 0.3.1.9 - DoS via Crafted PEM Input
Title source: llmDescription
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, an attacker can cause a denial of service (application hang) via crafted PEM input that signifies a public key requiring a password, which triggers an attempt by the OpenSSL library to ask the user for the password, aka TROVE-2017-011.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2017/dsa-4054
Vendor Advisory x_refsource_confirm
https://bugs.torproject.org/24246
Scores
CVSS v3
7.5
EPSS
0.0196
EPSS Percentile
77.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-119
Status
published
Products (4)
debian/debian_linux
8.0
debian/debian_linux
9.0
n/a/Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9
Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.
tor_project/tor
< 0.2.5.16
Published
Dec 03, 2017
Tracked Since
Feb 18, 2026