CVE-2023-23589 - Vulnerability Details - OpenCVE

The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not the safe SOCKS4a protocol, aka TROVE-2022-002.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Debian	Debian Linux
Fedoraproject	Fedora
Torproject	Tor

Configuration 1 [-]

cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:fedoraproject:fedora:36:::::::*
	cpe:2.3:o:fedoraproject:fedora:37:::::::*

No data.

References

Link	Providers
https://gitlab.torproject.org/tpo/core/tor/-/commit/a282145b3634547ab84ccd959d0537c021ff7ffc
https://gitlab.torproject.org/tpo/core/tor/-/issues/40730
https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.7/ReleaseNotes
https://lists.debian.org/debian-lts-announce/2023/01/msg00026.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYOLTP6HQO2HPXUYKOR7P5YYYN7CINQQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMY4FWXYKP3MDXTZ3EJ7XJVGBCKBK2XL/
https://security.gentoo.org/glsa/202305-11
https://www.debian.org/security/2023/dsa-5320

History

Mon, 07 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-693
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-01-14T00:00:00.000Z

Updated: 2025-04-07T18:14:11.104Z

Reserved: 2023-01-14T00:00:00.000Z

Link: CVE-2023-23589

Vulnrichment

Updated: 2024-08-02T10:35:33.384Z

NVD

Status : Modified

Published: 2023-01-14T01:15:15.627

Modified: 2025-04-07T19:15:52.637

Link: CVE-2023-23589

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-23589", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-04-07T18:14:11.104Z", "dateReserved": "2023-01-14T00:00:00.000Z", "datePublished": "2023-01-14T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-05-03T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not the safe SOCKS4a protocol, aka TROVE-2022-002."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.7/ReleaseNotes"}, {"url": "https://gitlab.torproject.org/tpo/core/tor/-/issues/40730"}, {"url": "https://gitlab.torproject.org/tpo/core/tor/-/commit/a282145b3634547ab84ccd959d0537c021ff7ffc"}, {"name": "DSA-5320", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2023/dsa-5320"}, {"name": "FEDORA-2023-c290171664", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMY4FWXYKP3MDXTZ3EJ7XJVGBCKBK2XL/"}, {"name": "FEDORA-2023-1254a1fc28", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYOLTP6HQO2HPXUYKOR7P5YYYN7CINQQ/"}, {"name": "[debian-lts-announce] 20230128 [SECURITY] [DLA 3286-1] tor security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00026.html"}, {"name": "GLSA-202305-11", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202305-11"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:35:33.384Z"}, "title": "CVE Program Container", "references": [{"url": "https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.7/ReleaseNotes", "tags": ["x_transferred"]}, {"url": "https://gitlab.torproject.org/tpo/core/tor/-/issues/40730", "tags": ["x_transferred"]}, {"url": "https://gitlab.torproject.org/tpo/core/tor/-/commit/a282145b3634547ab84ccd959d0537c021ff7ffc", "tags": ["x_transferred"]}, {"name": "DSA-5320", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2023/dsa-5320"}, {"name": "FEDORA-2023-c290171664", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMY4FWXYKP3MDXTZ3EJ7XJVGBCKBK2XL/"}, {"name": "FEDORA-2023-1254a1fc28", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYOLTP6HQO2HPXUYKOR7P5YYYN7CINQQ/"}, {"name": "[debian-lts-announce] 20230128 [SECURITY] [DLA 3286-1] tor security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00026.html"}, {"name": "GLSA-202305-11", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202305-11"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-693", "lang": "en", "description": "CWE-693 Protection Mechanism Failure"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-07T18:13:18.347462Z", "id": "CVE-2023-23589", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-07T18:14:11.104Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.7/ReleaseNotes", "tags": ["x_transferred"]}, {"url": "https://gitlab.torproject.org/tpo/core/tor/-/issues/40730", "tags": ["x_transferred"]}, {"url": "https://gitlab.torproject.org/tpo/core/tor/-/commit/a282145b3634547ab84ccd959d0537c021ff7ffc", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5320", "name": "DSA-5320", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMY4FWXYKP3MDXTZ3EJ7XJVGBCKBK2XL/", "name": "FEDORA-2023-c290171664", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYOLTP6HQO2HPXUYKOR7P5YYYN7CINQQ/", "name": "FEDORA-2023-1254a1fc28", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00026.html", "name": "[debian-lts-announce] 20230128 [SECURITY] [DLA 3286-1] tor security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202305-11", "name": "GLSA-202305-11", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:35:33.384Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-23589", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-07T18:13:18.347462Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693 Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-07T18:14:06.091Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.7/ReleaseNotes"}, {"url": "https://gitlab.torproject.org/tpo/core/tor/-/issues/40730"}, {"url": "https://gitlab.torproject.org/tpo/core/tor/-/commit/a282145b3634547ab84ccd959d0537c021ff7ffc"}, {"url": "https://www.debian.org/security/2023/dsa-5320", "name": "DSA-5320", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMY4FWXYKP3MDXTZ3EJ7XJVGBCKBK2XL/", "name": "FEDORA-2023-c290171664", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYOLTP6HQO2HPXUYKOR7P5YYYN7CINQQ/", "name": "FEDORA-2023-1254a1fc28", "tags": ["vendor-advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00026.html", "name": "[debian-lts-announce] 20230128 [SECURITY] [DLA 3286-1] tor security update", "tags": ["mailing-list"]}, {"url": "https://security.gentoo.org/glsa/202305-11", "name": "GLSA-202305-11", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not the safe SOCKS4a protocol, aka TROVE-2022-002."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-05-03T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2023-23589", "state": "PUBLISHED", "dateUpdated": "2025-04-07T18:14:11.104Z", "dateReserved": "2023-01-14T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-01-14T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:*", "matchCriteriaId": "12B2A54B-3113-4BB0-82D6-27EC4D1F4043", "versionEndExcluding": "0.4.7.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not the safe SOCKS4a protocol, aka TROVE-2022-002."}, {"lang": "es", "value": "La opci\u00f3n SafeSocks en Tor anterior a 0.4.7.13 tiene un error l\u00f3gico en el que se puede usar el protocolo SOCKS4 inseguro pero no el protocolo SOCKS4a seguro, tambi\u00e9n conocido como TROVE-2022-002."}], "id": "CVE-2023-23589", "lastModified": "2025-04-07T19:15:52.637", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-01-14T01:15:15.627", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://gitlab.torproject.org/tpo/core/tor/-/commit/a282145b3634547ab84ccd959d0537c021ff7ffc"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://gitlab.torproject.org/tpo/core/tor/-/issues/40730"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.7/ReleaseNotes"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00026.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYOLTP6HQO2HPXUYKOR7P5YYYN7CINQQ/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMY4FWXYKP3MDXTZ3EJ7XJVGBCKBK2XL/"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/202305-11"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5320"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://gitlab.torproject.org/tpo/core/tor/-/commit/a282145b3634547ab84ccd959d0537c021ff7ffc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://gitlab.torproject.org/tpo/core/tor/-/issues/40730"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.7/ReleaseNotes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00026.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYOLTP6HQO2HPXUYKOR7P5YYYN7CINQQ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMY4FWXYKP3MDXTZ3EJ7XJVGBCKBK2XL/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202305-11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5320"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-693"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}