Skip to main content

Brave CVE-2021-21323

MEDIUM
Information Exposure (CWE-200)
2021-02-23 security-advisories@github.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Feb 23, 2021 - 23:15 nvd
MEDIUM 5.3

DescriptionNVD

Brave is an open source web browser with a focus on privacy and security. In Brave versions 1.17.73-1.20.103, the CNAME adblocking feature added in Brave 1.17.73 accidentally initiated DNS requests that bypassed the Brave Tor proxy. Users with adblocking enabled would leak DNS requests from Tor windows to their DNS provider. (DNS requests that were not initiated by CNAME adblocking would go through Tor as expected.) This is fixed in Brave version 1.20.108

AnalysisAI

Brave is an open source web browser with a focus on privacy and security. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Brave is an open source web browser with a focus on privacy and security. In Brave versions 1.17.73-1.20.103, the CNAME adblocking feature added in Brave 1.17.73 accidentally initiated DNS requests that bypassed the Brave Tor proxy. Users with adblocking enabled would leak DNS requests from Tor windows to their DNS provider. (DNS requests that were not initiated by CNAME adblocking would go through Tor as expected.) This is fixed in Brave version 1.20.108 Affected products include: Brave. Version information: version 1.20.108.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

More in Brave

View all
CVE-2021-45884 HIGH POC
7.5 Dec 27

In Brave Desktop 1.17 through 1.33 before 1.33.106, when CNAME-based adblocking and a proxying extension with a SOCKS fa

CVE-2017-8458 MEDIUM POC
6.5 May 03

Brave 0.12.4 has a URI Obfuscation issue in which a string such as https://safe.example.com@unsafe.example.com/ is displ

CVE-2022-47934 MEDIUM POC
6.5 Dec 24

Brave Browser before 1.43.88 allowed a remote attacker to cause a denial of service in private and guest windows via a c

CVE-2022-47933 MEDIUM POC
6.5 Dec 24

Brave Browser before 1.42.51 allowed a remote attacker to cause a denial of service via a crafted HTML file that referen

CVE-2022-47932 MEDIUM POC
6.5 Dec 24

Brave Browser before 1.43.34 allowed a remote attacker to cause a denial of service via a crafted HTML file that mention

CVE-2018-10799 MEDIUM POC
6.5 May 08

A hang issue was discovered in Brave before 0.14.0 (on, for example, Linux). Rated medium severity (CVSS 6.5), this vuln

CVE-2018-10798 MEDIUM POC
6.5 May 08

A hang issue was discovered in Brave before 0.14.0 (on, for example, Linux). Rated medium severity (CVSS 6.5), this vuln

CVE-2021-22929 MEDIUM POC
6.1 Aug 31

An information disclosure exists in Brave Browser Desktop prior to version 1.28.62, where logged warning messages that i

CVE-2020-8276 MEDIUM POC
5.5 Nov 09

The implementation of Brave Desktop's privacy-preserving analytics system (P3A) between 1.1 and 1.18.35 logged the times

CVE-2017-8459 MEDIUM POC
5.3 May 03

Brave 0.12.4 has a Status Bar Obfuscation issue in which a redirection target is shown in a possibly unexpected way. Rat

CVE-2022-30334 MEDIUM POC
5.3 May 07

Brave before 1.34, when a Private Window with Tor Connectivity is used, leaks .onion URLs in Referer and Origin headers.

CVE-2023-51534 MEDIUM
5.9 Feb 01

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brave Brave - Crea

Share

CVE-2021-21323 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy