Access Restriction Bypass Affecting tor package, versions <0.2.0.32-1
Threat Intelligence
EPSS
0.04% (6th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN10-TOR-370849
- published 9 Dec 2008
- disclosed 9 Dec 2008
Introduced: 9 Dec 2008
CVE-2008-5397 Open this link in a new tabHow to fix?
Upgrade Debian:10 tor to version 0.2.0.32-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream tor package and not the tor package as distributed by Debian.
See How to fix? for Debian:10 relevant fixed versions and status.
Tor before 0.2.0.32 does not properly process the (1) User and (2) Group configuration options, which might allow local users to gain privileges by leveraging unintended supplementary group memberships of the Tor process.
References
- https://security-tracker.debian.org/tracker/CVE-2008-5397
- http://security.gentoo.org/glsa/glsa-200904-11.xml
- http://blog.torproject.org/blog/tor-0.2.0.32-released
- http://www.vupen.com/english/advisories/2008/3366
- http://xforce.iss.net/xforce/xfdb/47101
- http://secunia.com/advisories/33025
- http://secunia.com/advisories/34583
- http://www.securityfocus.com/bid/32648
- https://exchange.xforce.ibmcloud.com/vulnerabilities/47101
CVSS Scores
version 3.1