CVE-2021-45884

Summary

CVE	CVE-2021-45884
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-12-27 22:15:00 UTC
Updated	2022-01-07 19:48:00 UTC
Description	In Brave Desktop 1.17 through 1.33 before 1.33.106, when CNAME-based adblocking and a proxying extension with a SOCKS fallback are enabled, additional DNS requests are issued outside of the proxying extension using the system's DNS settings, resulting in information disclosure. NOTE: this issue exists because of an incomplete fix for CVE-2021-21323 and CVE-2021-22916.

Risk And Classification

Problem Types: CWE-200

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Apple	Macos	-	All	All	All
Application	Brave	Brave	All	All	All	All
Operating System	Linux	Linux Kernel	-	All	All	All
Operating System	Microsoft	Windows	-	All	All	All

References

Reference	Source	Link	Tags
hackerone #1377864 - CNAME Uncloacking in SOCKS5 protocol · Issue #19070 · brave/brave-browser · GitHub	MISC	github.com
HackerOne	MISC	hackerone.com
[Desktop] Release notes for `1.33.x - Release` · Issue #20079 · brave/brave-browser · GitHub	MISC	github.com
Disable CNAME uncloaking when a proxy extension with a socks fallback is enabled by antonok-edm · Pull Request #10742 · brave/brave-core · GitHub	MISC	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.