Vulnerability CVE-2021-21323


Published: 2021-02-23   Modified: 2021-02-24

Description:
Brave is an open source web browser with a focus on privacy and security. In Brave versions 1.17.73-1.20.103, the CNAME adblocking feature added in Brave 1.17.73 accidentally initiated DNS requests that bypassed the Brave Tor proxy. Users with adblocking enabled would leak DNS requests from Tor windows to their DNS provider. (DNS requests that were not initiated by CNAME adblocking would go through Tor as expected.) This is fixed in Brave version 1.20.108

Type:

CWE-200

(Information Exposure)

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Brave -> Brave 

 References:
https://github.com/brave/brave-browser/issues/13527
https://github.com/brave/brave-browser/security/advisories/GHSA-mqjf-9x5g-2rv6
https://github.com/brave/brave-core/commit/12fe321eaad8acc1cbd1d70b4128f687777bcf15
https://github.com/brave/brave-core/pull/7769
https://hackerone.com/reports/1077022

Copyright 2024, cxsecurity.com

 

Back to Top