CVE-2017-0380

Name: CVE-2017-0380
Creator: NVD / NIST
Published: 2017-09-18T16:29:00.207+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 1.54%

Last modified Jun 17, 2026

CVE-2017-0380 is a vulnerability of currently unknown severity. The rend_service_intro_established function in or/rendservice.c in Tor before 0.2.8.15, 0.2.9.x before 0.2.9.12, 0.3.0.x before 0.3.0.11, 0.3.1.x before 0.3.1.7, and 0.3.2.x before 0.3.2.1-alpha, when SafeLogging is disabled, allows attackers to obtain sensitive information by leveraging access to the log files of a hidden service, because uninitialized stack data is included in an error message about construction of an introduction point circuit.. EPSS estimates a 1.54% chance of exploitation in the next 30 days.

Description

The rend_service_intro_established function in or/rendservice.c in Tor before 0.2.8.15, 0.2.9.x before 0.2.9.12, 0.3.0.x before 0.3.0.11, 0.3.1.x before 0.3.1.7, and 0.3.2.x before 0.3.2.1-alpha, when SafeLogging is disabled, allows attackers to obtain sensitive information by leveraging access to the log files of a hidden service, because uninitialized stack data is included in an error message about construction of an introduction point circuit.

Metrics

EPSS Probability

1.54%

71.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-532

Affected Software

Vendor	Product	Versions	Update
Torproject	Tor	<= 0.2.8.14	—
Torproject	Tor	0.2.9.0	—
Torproject	Tor	0.2.9.1	Alpha
Torproject	Tor	0.2.9.2	Alpha
Torproject	Tor	0.2.9.3	Alpha
Torproject	Tor	0.2.9.4	Alpha
Torproject	Tor	0.2.9.5	Alpha
Torproject	Tor	0.2.9.6	—
Torproject	Tor	0.2.9.8	—
Torproject	Tor	0.2.9.9	—
Torproject	Tor	0.2.9.10	—
Torproject	Tor	0.2.9.11	—
Torproject	Tor	0.3.0.0	—
Torproject	Tor	0.3.0.1	Alpha
Torproject	Tor	0.3.0.2	Alpha
Torproject	Tor	0.3.0.3	Alpha
Torproject	Tor	0.3.0.4	Rc
Torproject	Tor	0.3.0.5	Rc
Torproject	Tor	0.3.0.6	—
Torproject	Tor	0.3.0.7	—
Torproject	Tor	0.3.0.8	—
Torproject	Tor	0.3.0.9	—
Torproject	Tor	0.3.0.10	—
Torproject	Tor	0.3.1.1	Alpha
Torproject	Tor	0.3.1.2	Alpha
Torproject	Tor	0.3.1.3	Alpha
Torproject	Tor	0.3.1.4	Alpha
Torproject	Tor	0.3.1.5	Alpha
Torproject	Tor	0.3.1.6	Alpha
Torproject	Tor	0.3.2	—

References

http://www.debian.org/security/2017/dsa-3993
http://www.securitytracker.com/id/1039519
https://github.com/torproject/tor/commit/09ea89764a4d3a907808ed7d4fe42abfe64bd486Patch, Third Party Advisory
https://trac.torproject.org/projects/tor/ticket/23490Mitigation, Patch, Vendor Advisory
http://www.debian.org/security/2017/dsa-3993
http://www.securitytracker.com/id/1039519
https://github.com/torproject/tor/commit/09ea89764a4d3a907808ed7d4fe42abfe64bd486Patch, Third Party Advisory
https://trac.torproject.org/projects/tor/ticket/23490Mitigation, Patch, Vendor Advisory

Timeline

Published: Sep 18, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-0380?

How severe is CVE-2017-0380?

Severity scoring for CVE-2017-0380 is pending analysis. The EPSS model estimates a 1.54% probability of exploitation in the next 30 days.

How do I fix CVE-2017-0380?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-0380?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST