CVE-2017-8823

HIGH

Tor < 0.2.5.16, 0.2.6-0.2.8 < 0.2.8.17, 0.2.9 < 0.2.9.14, 0.3.0 < 0.3.0.13, 0.3.1 < 0.3.1.9 - Use-After-Free

Title source: llm
STIX 2.1

Description

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, there is a use-after-free in onion service v2 during intro-point expiration because the expiring list is mismanaged in certain error cases, aka TROVE-2017-013.

References (4)

Core 4
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugs.torproject.org/24313
Vendor Advisory x_refsource_confirm
https://bugs.torproject.org/24430
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2017/dsa-4054

Scores

CVSS v3 8.1
EPSS 0.0160
EPSS Percentile 72.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-416
Status published
Products (4)
debian/debian_linux 8.0
debian/debian_linux 9.0
n/a/Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9 Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.
tor_project/tor < 0.2.5.16
Published Dec 03, 2017
Tracked Since Feb 18, 2026