Vulnerability Details : CVE-2023-23589
The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not the safe SOCKS4a protocol, aka TROVE-2022-002.
Products affected by CVE-2023-23589
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-23589
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 55 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-23589
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
NIST |
References for CVE-2023-23589
-
https://www.debian.org/security/2023/dsa-5320
Debian -- Security Information -- DSA-5320-1 torThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMY4FWXYKP3MDXTZ3EJ7XJVGBCKBK2XL/
[SECURITY] Fedora 37 Update: tor-0.4.7.13-1.fc37 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYOLTP6HQO2HPXUYKOR7P5YYYN7CINQQ/
[SECURITY] Fedora 36 Update: tor-0.4.7.13-1.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202305-11
Tor: Multiple Vulnerabilities (GLSA 202305-11) — Gentoo security
-
https://gitlab.torproject.org/tpo/core/tor/-/commit/a282145b3634547ab84ccd959d0537c021ff7ffc
socks: Make SafeSocks refuse SOCKS4 and accept SOCKS4a (a282145b) · Commits · The Tor Project / Core / Tor · GitLabPatch;Vendor Advisory
-
https://lists.debian.org/debian-lts-announce/2023/01/msg00026.html
[SECURITY] [DLA 3286-1] tor security updateMailing List;Third Party Advisory
-
https://gitlab.torproject.org/tpo/core/tor/-/issues/40730
TROVE-2022-002: The SafeSocks option for SOCKS4(a) is inverted leading to SOCKS4 going through (#40730) · Issues · The Tor Project / Core / Tor · GitLabExploit;Issue Tracking;Patch;Vendor Advisory
-
https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.7/ReleaseNotes
Release Notes;Vendor Advisory
Jump to