{"id":"RUSTSEC-2024-0339","summary":"Tor path lengths too short when \"Vanguards lite\" configured","details":"## Description\n\nWhen building anonymizing circuits to or from an onion service with \n'lite' vanguards (the default) enabled, \nthe circuit manager code would build the circuits with one hop too few.\n\n## Impact\n\nThis makes users of this code more vulnerable to some kinds of traffic analysis\nwhen they run or visit onion services.\n\n## Vulnerable configurations and use cases\n\nArti configured with \"vangaurds lite\" is vulnerable;\nthis is the default.\n\nOnly users who make connections to Onion Services\n(Tor Hidden Services) are affected.\nNote, however, that when used as a browser proxy,\nmalicious web pages can typically make such connections.\n\n## Mitigation\n\nEnable the \"full vanguards\" feature.\nThis has some cost in terms of performance, reliability,\nand impact on the Tor Network.\n\n(Arti configured with \"full vanguards\" has a similar bug,\nTROVE-2024-04,\nso this will not deliver the full incressed security of \"full vanguards\";\nbut the security level of affected versions of Arti\nconfigured with \"full vanguards\" still exceeds\nthe intended security level of the \"vanguards lite\" configuration.)\n\nAlternatively,\npreventing access to Tor Hidden Services will avoid the problem,\nwith corresponding loss of functionality.\nThis can be achieved in the Arti configuration file with:\n\n```\n[address_filter]\nallow_onion_addrs = false\n```\n\n## Resolution\n\nRebuild `arti` (or other affected applications)\nwith a fixed version of `tor-circmgr`:\n0.18.1 or later.\n\nThe fixed `tor-circmgr` is on crates.io and available in\n[the upstream git repository](https://gitlab.torproject.org/tpo/core/arti)\nat signed tag `arti-v1.2.3`.\n\n### Note about older versions\n\nEven though earlier versions are classified as \"not affected\",\nthis is because in those versions the Vanguards feature\nis experimental, or absent.\nDowngrading worsens security, rather than improving it.\n\n## References\n\n * [arti#1409](https://gitlab.torproject.org/tpo/core/arti/-/issues/1409):\n   the ticket in the Arti bugtracker.\n * [TROVE](https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE)\n   Tor Project vulnerability database.\n * [arti#1400](https://gitlab.torproject.org/tpo/core/arti/-/issues/1400):\n   the similar bug with the full vanguards feature.","aliases":["CVE-2024-35312","CVE-2024-35313","GHSA-9328-gcfq-p269","GHSA-c96h-cxx6-rmg9","RUSTSEC-2024-0340","TROVE-2024-003","TROVE-2024-004"],"modified":"2026-02-04T02:58:07.410619Z","published":"2024-05-15T12:00:00Z","related":["TROVE-2024-004"],"database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/tor-circmgr"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2024-0339.html"},{"type":"REPORT","url":"https://gitlab.torproject.org/tpo/core/arti/-/issues/1409"}],"affected":[{"package":{"name":"tor-circmgr","ecosystem":"crates.io","purl":"pkg:cargo/tor-circmgr"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.18.0"},{"fixed":"0.18.1"}]}],"ecosystem_specific":{"affects":{"functions":[],"os":[],"arch":[]},"affected_functions":null},"database_specific":{"categories":[],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0339.json","cvss":null,"informational":null}}],"schema_version":"1.7.3"}