CVE-2023-23589 - OpenCVE

The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not the safe SOCKS4a protocol, aka TROVE-2022-002.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Fedoraproject	Fedora
Torproject	Tor

Configuration 1 [-]

cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:fedoraproject:fedora:36:::::::*
	cpe:2.3:o:fedoraproject:fedora:37:::::::*

No data.

References

Link	Providers
https://gitlab.torproject.org/tpo/core/tor/-/commit/a282145b3634547ab84ccd959d0537c021ff7ffc
https://gitlab.torproject.org/tpo/core/tor/-/issues/40730
https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.7/ReleaseNotes
https://lists.debian.org/debian-lts-announce/2023/01/msg00026.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYOLTP6HQO2HPXUYKOR7P5YYYN7CINQQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMY4FWXYKP3MDXTZ3EJ7XJVGBCKBK2XL/
https://security.gentoo.org/glsa/202305-11
https://www.debian.org/security/2023/dsa-5320

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-01-14T00:00:00

Updated: 2024-08-02T10:35:33.384Z

Reserved: 2023-01-14T00:00:00

Link: CVE-2023-23589

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-01-14T01:15:15.627

Modified: 2023-11-07T04:07:47.177

Link: CVE-2023-23589

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-23589", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T10:35:33.384Z", "dateReserved": "2023-01-14T00:00:00", "datePublished": "2023-01-14T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-05-03T00:00:00"}, "descriptions": [{"lang": "en", "value": "The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not the safe SOCKS4a protocol, aka TROVE-2022-002."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.7/ReleaseNotes"}, {"url": "https://gitlab.torproject.org/tpo/core/tor/-/issues/40730"}, {"url": "https://gitlab.torproject.org/tpo/core/tor/-/commit/a282145b3634547ab84ccd959d0537c021ff7ffc"}, {"name": "DSA-5320", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2023/dsa-5320"}, {"name": "FEDORA-2023-c290171664", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMY4FWXYKP3MDXTZ3EJ7XJVGBCKBK2XL/"}, {"name": "FEDORA-2023-1254a1fc28", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYOLTP6HQO2HPXUYKOR7P5YYYN7CINQQ/"}, {"name": "[debian-lts-announce] 20230128 [SECURITY] [DLA 3286-1] tor security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00026.html"}, {"name": "GLSA-202305-11", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202305-11"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:35:33.384Z"}, "title": "CVE Program Container", "references": [{"url": "https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.7/ReleaseNotes", "tags": ["x_transferred"]}, {"url": "https://gitlab.torproject.org/tpo/core/tor/-/issues/40730", "tags": ["x_transferred"]}, {"url": "https://gitlab.torproject.org/tpo/core/tor/-/commit/a282145b3634547ab84ccd959d0537c021ff7ffc", "tags": ["x_transferred"]}, {"name": "DSA-5320", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2023/dsa-5320"}, {"name": "FEDORA-2023-c290171664", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMY4FWXYKP3MDXTZ3EJ7XJVGBCKBK2XL/"}, {"name": "FEDORA-2023-1254a1fc28", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYOLTP6HQO2HPXUYKOR7P5YYYN7CINQQ/"}, {"name": "[debian-lts-announce] 20230128 [SECURITY] [DLA 3286-1] tor security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00026.html"}, {"name": "GLSA-202305-11", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202305-11"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:*", "matchCriteriaId": "12B2A54B-3113-4BB0-82D6-27EC4D1F4043", "versionEndExcluding": "0.4.7.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not the safe SOCKS4a protocol, aka TROVE-2022-002."}, {"lang": "es", "value": "La opci\u00f3n SafeSocks en Tor anterior a 0.4.7.13 tiene un error l\u00f3gico en el que se puede usar el protocolo SOCKS4 inseguro pero no el protocolo SOCKS4a seguro, tambi\u00e9n conocido como TROVE-2022-002."}], "id": "CVE-2023-23589", "lastModified": "2023-11-07T04:07:47.177", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-14T01:15:15.627", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://gitlab.torproject.org/tpo/core/tor/-/commit/a282145b3634547ab84ccd959d0537c021ff7ffc"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://gitlab.torproject.org/tpo/core/tor/-/issues/40730"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.7/ReleaseNotes"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00026.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYOLTP6HQO2HPXUYKOR7P5YYYN7CINQQ/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMY4FWXYKP3MDXTZ3EJ7XJVGBCKBK2XL/"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/202305-11"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5320"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}