CVE-2021-38385

Published: Aug 30, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-signature verification, leading to a remote assertion failure, aka TROVE-2021-007.

Affected (3)

Products: Torproject: Tor

Torproject

1 product

Tor

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Torproject Tor	Before 0.3.5.16
Torproject Tor	From 0.4.0.0 to 0.4.5.10
Torproject Tor	From 0.4.6.0 to 0.4.6.7

Related CWEs

CWE-617

Reachable Assertion

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

References (8)

https://blog.torproject.org

Source: cve@mitre.org

Release NotesVendor Advisory

https://blog.torproject.org/node/2062

Source: cve@mitre.org

Release NotesVendor Advisory

https://bugs.torproject.org/tpo/core/tor/40078

Source: cve@mitre.org

ExploitIssue TrackingVendor Advisory

https://security.gentoo.org/glsa/202305-11

Source: cve@mitre.org

https://blog.torproject.org

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://blog.torproject.org/node/2062

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://bugs.torproject.org/tpo/core/tor/40078

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingVendor Advisory

https://security.gentoo.org/glsa/202305-11

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.