CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2021-45884
https://notcve.org/view.php?id=CVE-2021-45884
In Brave Desktop 1.17 through 1.33 before 1.33.106, when CNAME-based adblocking and a proxying extension with a SOCKS fallback are enabled, additional DNS requests are issued outside of the proxying extension using the system's DNS settings, resulting in information disclosure. NOTE: this issue exists because of an incomplete fix for CVE-2021-21323 and CVE-2021-22916. En Brave Desktop versiones 1.17 hasta 1.33 anteriores a 1.33.106, cuando es habilitado el bloqueo de anuncios basado en CNAME y una extensión de proxy con una reserva SOCKS, se emiten peticiones DNS adicionales fuera de la extensión de proxy usando la configuración DNS del sistema, resultando en una divulgación de información. NOTA: este problema se presenta debido a una corrección incompleta de CVE-2021-21323 y CVE-2021-22916 • https://github.com/brave/brave-browser/issues/19070 https://github.com/brave/brave-browser/issues/20079 https://github.com/brave/brave-core/pull/10742 https://hackerone.com/reports/1377864 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-22929
https://notcve.org/view.php?id=CVE-2021-22929
An information disclosure exists in Brave Browser Desktop prior to version 1.28.62, where logged warning messages that included timestamps of connections to V2 onion domains in tor.log. Se presenta una divulgación de información en Brave Browser Desktop versiones anteriores a 1.28.62, donde se registraban mensajes de advertencia que incluían marcas de tiempo de conexiones a dominios V2 onion en tor.log • https://hackerone.com/reports/1249056 • CWE-312: Cleartext Storage of Sensitive Information CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-22916
https://notcve.org/view.php?id=CVE-2021-22916
In Brave Desktop between versions 1.17 and 1.26.60, when adblocking is enabled and a proxy browser extension is installed, the CNAME adblocking feature issues DNS requests that used the system DNS settings instead of the extension's proxy settings, resulting in possible information disclosure. En Brave Desktop entre las versiones 1.17 y 1.26.60, cuando el adblocking está habilitado y una extensión de navegador proxy está instalada, la funcionalidad CNAME adblocking emite peticiones DNS que usaban la configuración DNS del sistema en lugar de la configuración proxy de la extensión, resultando en una posible divulgación de información • https://hackerone.com/reports/1203842 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21323 – Regression in DNS leakage from Tor windows
https://notcve.org/view.php?id=CVE-2021-21323
Brave is an open source web browser with a focus on privacy and security. In Brave versions 1.17.73-1.20.103, the CNAME adblocking feature added in Brave 1.17.73 accidentally initiated DNS requests that bypassed the Brave Tor proxy. Users with adblocking enabled would leak DNS requests from Tor windows to their DNS provider. (DNS requests that were not initiated by CNAME adblocking would go through Tor as expected.) This is fixed in Brave version 1.20.108 Brave es un navegador web de código abierto que se centra en la privacidad y la seguridad. • https://github.com/brave/brave-browser/issues/13527 https://github.com/brave/brave-browser/security/advisories/GHSA-mqjf-9x5g-2rv6 https://github.com/brave/brave-core/commit/12fe321eaad8acc1cbd1d70b4128f687777bcf15 https://github.com/brave/brave-core/pull/7769 https://hackerone.com/reports/1077022 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-8276
https://notcve.org/view.php?id=CVE-2020-8276
The implementation of Brave Desktop's privacy-preserving analytics system (P3A) between 1.1 and 1.18.35 logged the timestamp of when the user last opened an incognito window, including Tor windows. The intended behavior was to log the timestamp for incognito windows excluding Tor windows. Note that if a user has P3A enabled, the timestamp is not sent to Brave's server, but rather a value from:Used in last 24hUsed in last week but not 24hUsed in last 28 days but not weekEver used but not in last 28 daysNever usedThe privacy risk is low because a local attacker with disk access cannot tell if the timestamp corresponds to a Tor window or a non-Tor incognito window. La implementación del sistema de análisis de preservación de la privacidad de Brave Desktop (P3A) versiones entre 1.1 y 1.18.35, registró la marca de tiempo de la última vez que el usuario abrió una ventana de incógnito, incluyendo las ventanas Tor. El comportamiento previsto era registrar la marca de tiempo para las ventanas de incógnito, excluidas las ventanas Tor. • https://hackerone.com/reports/1024668 • CWE-312: Cleartext Storage of Sensitive Information •