VDB
CVE-2018-25022
CVE-2018-25022
REJECTED
The Onion module in toxcore before 0.2.2 doesn't restrict which packets can be onion-routed, which allows a remote attacker to discover a target user's IP address (when knowing only their Tox Id) by positioning themselves close to target's Tox Id in the DHT for the target to establish an onion connection with the attacker, guessing the target's DHT public key and creating a DHT node with public key close to it, and finally onion-routing a NAT Ping Request to the target, requesting it to ping the just created DHT node.
EPSS 0.30% · 53.5th percentile
Risk Scores
EPSS Score
0.30%
53.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:20.04:LTS | libtoxcore | 0 |
Exploit Intelligence
Timeline
- Dec 13, 2021 EPSS Score
- Dec 13, 2021 CVE Published
- Feb 5, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 25, 2022 EPSS Score
- Jul 20, 2022 EPSS Score
- Sep 12, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Dec 30, 2022 EPSS Score
- Feb 23, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 18, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-25022 third-party-advisory
- https://blog.tox.chat/2018/04/security-vulnerability-and-new-toxcore-release third-party-advisory
- https://github.com/TokTok/c-toxcore/issues/873 third-party-advisory
- https://github.com/TokTok/c-toxcore/pull/872 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-25022 third-party-advisory