CVE-2017-8821

HIGH

Tor < 0.2.5.16, 0.2.6-0.2.8 < 0.2.8.17, 0.2.9 < 0.2.9.14, 0.3.0 < 0.3.0.13, 0.3.1 < 0.3.1.9 - DoS via Crafted PEM Input

Title source: llm
STIX 2.1

Description

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, an attacker can cause a denial of service (application hang) via crafted PEM input that signifies a public key requiring a password, which triggers an attempt by the OpenSSL library to ask the user for the password, aka TROVE-2017-011.

References (3)

Core 3
Core References
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2017/dsa-4054
Vendor Advisory x_refsource_confirm
https://bugs.torproject.org/24246

Scores

CVSS v3 7.5
EPSS 0.0196
EPSS Percentile 77.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-119
Status published
Products (4)
debian/debian_linux 8.0
debian/debian_linux 9.0
n/a/Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9 Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.
tor_project/tor < 0.2.5.16
Published Dec 03, 2017
Tracked Since Feb 18, 2026