Lucene search

GitHub_MCVELIST:CVE-2021-21323

HistoryFeb 23, 2021 - 10:45 p.m.

CVE-2021-21323 Regression in DNS leakage from Tor windows

2021-02-2322:45:19

CWE-200

GitHub_M

www.cve.org

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

6.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.9%

JSON

Brave is an open source web browser with a focus on privacy and security. In Brave versions 1.17.73-1.20.103, the CNAME adblocking feature added in Brave 1.17.73 accidentally initiated DNS requests that bypassed the Brave Tor proxy. Users with adblocking enabled would leak DNS requests from Tor windows to their DNS provider. (DNS requests that were not initiated by CNAME adblocking would go through Tor as expected.) This is fixed in Brave version 1.20.108

CNA Affected

[
  {
    "product": "brave-browser",
    "vendor": "brave",
    "versions": [
      {
        "status": "affected",
        "version": ">= 1.17.73, < 1.20.108"
      }
    ]
  }
]

References

github.com/brave/brave-browser/issues/13527

github.com/brave/brave-browser/security/advisories/GHSA-mqjf-9x5g-2rv6

github.com/brave/brave-core/commit/12fe321eaad8acc1cbd1d70b4128f687777bcf15

github.com/brave/brave-core/pull/7769

hackerone.com/reports/1077022

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

6.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.9%

JSON

Related for CVELIST:CVE-2021-21323