CVE-2017-8822

Publication date 3 December 2017

Last updated 25 August 2025

Ubuntu priority

Low

Why this priority?

Cvss 3 Severity Score

3.7 · Low

Score breakdown

Description

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, relays (that have incompletely downloaded descriptors) can pick themselves in a circuit path, leading to a degradation of anonymity, aka TROVE-2017-012.

From the Ubuntu Security Team

It was discovered that Tor could make itself part of a circuit path resulting in degraded anonymity.

Status

Package Ubuntu Release Status
tor 18.10 cosmic
Not affected
18.04 LTS bionic
Not affected
17.10 artful
Fixed 0.3.0.13-0ubuntu1~17.10.2
17.04 zesty Ignored end of life
16.04 LTS xenial
Fixed 0.2.9.14-1ubuntu1~16.04.2
14.04 LTS trusty
Fixed 0.2.4.27-1ubuntu0.1

Severity score breakdown

Parameter Value
Base score 3.7 · Low
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality Low
Integrity impact None
Availability impact None
Vector CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References

Other references