CVE-2023-36325

i2p before 2.3.0 (Java) allows de-anonymizing the public IPv4 and IPv6 addresses of i2p hidden services (aka eepsites) via a correlation attack across the IPv4 and IPv6 addresses that occurs when a tunneled, replayed message has a behavior discrepancy (it may be dropped, or may result in a Wrong Destination response). An attack would take days to complete.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://geti2p.net/en/blog/post/2023/06/25/new_release_2.3.0
https://i2pgit.org/i2p-hackers/i2p.i2p/-/commit/82aa4e19fbb37ca1bd752ec1b836120beec0985f
https://xeiaso.net/blog/CVE-2023-36325

Configurations

No configuration.

History

04 Nov 2024, 22:35

Type	Values Removed	Values Added
CWE		CWE-203
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 3.7

10 Oct 2024, 12:51

Type	Values Removed	Values Added
Summary		(es) i2p anterior a la versión 2.3.0 (Java) permite desanonimizar las direcciones IPv4 e IPv6 públicas de los servicios ocultos de i2p (también conocidos como eepsites) mediante un ataque de correlación entre las direcciones IPv4 e IPv6 que se produce cuando un mensaje tunelizado y reproducido tiene una discrepancia de comportamiento (puede descartarse o puede dar como resultado una respuesta de destino incorrecto). Un ataque tardaría días en completarse.

09 Oct 2024, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-09 06:15

Updated : 2024-11-04 22:35

NVD link : CVE-2023-36325

Mitre link : CVE-2023-36325

CVE.ORG link : CVE-2023-36325

JSON object : View

Products Affected

No product.

CWE

CWE-203

Observable Discrepancy

3.7 /10