Strix
26.1K

CVE-2007-4174

UnknownEPSS 6.21%

Last modified

CVE-2007-4174 is a vulnerability of currently unknown severity. Tor before 0.1.2.16, when ControlPort is enabled, does not properly restrict commands to localhost port 9051, which allows remote attackers to modify the torrc configuration file, compromise anonymity, and have other unspecified impact via HTTP POST data containing commands without valid authentication, as demonstrated by an HTML form (1) hosted on a web site or (2) injected by a Tor exit node.. EPSS estimates a 6.21% chance of exploitation in the next 30 days.

Description

Tor before 0.1.2.16, when ControlPort is enabled, does not properly restrict commands to localhost port 9051, which allows remote attackers to modify the torrc configuration file, compromise anonymity, and have other unspecified impact via HTTP POST data containing commands without valid authentication, as demonstrated by an HTML form (1) hosted on a web site or (2) injected by a Tor exit node.

Metrics

EPSS Probability
6.21%

92.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
TorTor<= 0.1.2.15
TorTor0.1.2.1Alpha
TorTor0.1.2.2
TorTor0.1.2.3Alpha
TorTor0.1.2.4
TorTor0.1.2.5
TorTor0.1.2.6Alpha
TorTor0.1.2.7Alpha
TorTor0.1.2.8Beta
TorTor0.1.2.9
TorTor0.1.2.10
TorTor0.1.2.11
TorTor0.1.2.12
TorTor0.1.2.13
TorTor0.1.2.14

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2007-4174?
Tor before 0.1.2.16, when ControlPort is enabled, does not properly restrict commands to localhost port 9051, which allows remote attackers to modify the torrc configuration file, compromise anonymity, and have other unspecified impact via HTTP POST data containing commands without valid authentication, as demonstrated by an HTML form (1) hosted on a web site or (2) injected by a Tor exit node.
How severe is CVE-2007-4174?
Severity scoring for CVE-2007-4174 is pending analysis. The EPSS model estimates a 6.21% probability of exploitation in the next 30 days.
How do I fix CVE-2007-4174?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2007-4174?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST