CVE-2021-38385 — Vulnetix

CVE-2021-38385 PUBLISHED CVSS 7.5 HIGH

Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-signature verification, leading to a remote assertion failure, aka TROVE-2021-007.

EPSS 0.60% · 69.7th percentile

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score

0.60%

69.7th percentile

Affected Products

Vendor	Product	Versions
torproject	tor	0, 0.4.0.0, 0.4.6.0
n/a	n/a	n/a

Timeline

Aug 19, 2021 CVE Published
Aug 30, 2021 EPSS Score
Sep 3, 2021 EPSS Score
Oct 27, 2021 EPSS Score
Dec 24, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Apr 19, 2022 EPSS Score
Jun 16, 2022 EPSS Score
Aug 14, 2022 EPSS Score
Dec 8, 2022 EPSS Score

References

https://blog.torproject.org url
https://blog.torproject.org/node/2062 url
https://bugs.torproject.org/tpo/core/tor/40078 url
GLSA-202305-11 vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2021-38385 advisory

Open in Interactive Console →