Vulnerability Details : CVE-2019-8955
In Tor before 0.3.3.12, 0.3.4.x before 0.3.4.11, 0.3.5.x before 0.3.5.8, and 0.4.x before 0.4.0.2-alpha, remote denial of service against Tor clients and relays can occur via memory exhaustion in the KIST cell scheduler.
Vulnerability category: Denial of service
Products affected by CVE-2019-8955
- cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.3.4.5:rc:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.3.4.6:rc:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.3.5.4:alpha:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.3.5.5:alpha:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.3.4.1:alpha:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.3.4.2:alpha:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.3.5.0:alpha-dev:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.3.5.1:alpha:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.3.4.0:alpha-dev:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.3.4.7:rc:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.3.5.6:rc:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.3.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.4.0.1:alpha:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.3.4.3:alpha:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.3.4.4:rc:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.3.5.2:alpha:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.3.5.3:alpha:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-8955
2.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 82 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-8955
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-8955
-
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-8955
-
http://www.securityfocus.com/bid/107136
Tor CVE-2019-8955 Remote Denial of Service VulnerabilityThird Party Advisory;VDB Entry
-
https://blog.torproject.org/new-releases-tor-0402-alpha-0358-03411-and-03312
New Releases: Tor 0.4.0.2-alpha, 0.3.5.8, 0.3.4.11, and 0.3.3.12 | Tor BlogVendor Advisory
-
https://trac.torproject.org/projects/tor/ticket/29168
#29168 (Fix TROVE-2019-001 (KIST can write above outbuf highwater mark)) – Tor Bug Tracker & WikiVendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00013.html
[security-announce] openSUSE-SU-2019:1107-1: moderate: Security update f
Jump to