CVE-2017-8822
Publication date 3 December 2017
Last updated 25 August 2025
Ubuntu priority
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, relays (that have incompletely downloaded descriptors) can pick themselves in a circuit path, leading to a degradation of anonymity, aka TROVE-2017-012.
From the Ubuntu Security Team
It was discovered that Tor could make itself part of a circuit path resulting in degraded anonymity.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| tor | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Fixed 0.2.9.14-1ubuntu1~16.04.2
|
|
| 14.04 LTS trusty |
Fixed 0.2.4.27-1ubuntu0.1
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
3.7 · Low
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |