CVE-2021-21323 — MEDIUM (4.3)

Q: How severe is CVE-2021-21323?

CVE-2021-21323 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-21323?

Check the references section above for vendor advisories and patch information. Affected products include: Brave Brave.

Vulnerability Description

Brave is an open source web browser with a focus on privacy and security. In Brave versions 1.17.73-1.20.103, the CNAME adblocking feature added in Brave 1.17.73 accidentally initiated DNS requests that bypassed the Brave Tor proxy. Users with adblocking enabled would leak DNS requests from Tor windows to their DNS provider. (DNS requests that were not initiated by CNAME adblocking would go through Tor as expected.) This is fixed in Brave version 1.20.108

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Brave	Brave	>= 1.17.73, <= 1.20.103

Related Weaknesses (CWE)

CWE-200

References

https://github.com/brave/brave-browser/issues/13527PatchThird Party Advisory
https://github.com/brave/brave-browser/security/advisories/GHSA-mqjf-9x5g-2rv6Third Party Advisory
https://github.com/brave/brave-core/commit/12fe321eaad8acc1cbd1d70b4128f687777bcPatchThird Party Advisory
https://github.com/brave/brave-core/pull/7769PatchThird Party Advisory
https://hackerone.com/reports/1077022Permissions RequiredThird Party Advisory
https://github.com/brave/brave-browser/issues/13527PatchThird Party Advisory
https://github.com/brave/brave-browser/security/advisories/GHSA-mqjf-9x5g-2rv6Third Party Advisory
https://github.com/brave/brave-core/commit/12fe321eaad8acc1cbd1d70b4128f687777bcPatchThird Party Advisory
https://github.com/brave/brave-core/pull/7769PatchThird Party Advisory
https://hackerone.com/reports/1077022Permissions RequiredThird Party Advisory

FAQ

What is CVE-2021-21323?

CVE-2021-21323 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Brave is an open source web browser with a focus on privacy and security. In Brave versions 1.17.73-1.20.103, the CNAME adblocking feature added in Brave 1.17.73 accidentally initiated DNS requests th...

How severe is CVE-2021-21323?

CVE-2021-21323 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-21323?

Check the references section above for vendor advisories and patch information. Affected products include: Brave Brave.