CVE-2019-12383 - Tor Browser before 8.0.1 has an information exposure vulnerability. It allows remote attackers to de

CVE Details

CVE-2019-12383

Summary

Tor Browser before 8.0.1 has an information exposure vulnerability. It allows remote attackers to detect the browser's UI locale by measuring a button width, even if the user has a "Don't send my language" setting.

References

Vulnerable Configurations

cpe:2.3:a:torproject:tor_browser:-:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:-:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:5.5.2:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:5.5.2:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:5.5.3:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:5.5.3:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:5.5.4:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:5.5.4:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:5.5.5:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:5.5.5:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.0:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.0:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.0.1:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.0.1:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.0.2:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.0.2:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.0.3:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.0.3:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.0.4:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.0.4:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.0.5:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.0.5:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.0.6:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.0.6:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.0.7:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.0.7:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.0.8:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.0.8:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.5:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.5:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.5.1:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.5.1:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.5.2:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:6.5.2:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.1:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.1:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.2:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.2:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.3:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.3:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.4:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.4:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.5:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.5:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.6:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.6:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.7:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.7:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.9:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.9:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.10:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.10:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.11:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.0.11:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.5:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.5:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.5.3:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.5.3:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.5.6:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:7.5.6:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:8.0:*:*:*:*:*:*:*
cpe:2.3:a:torproject:tor_browser:8.0:*:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 24-08-2020 - 17:37)
Impact:	2.9
Exploitability:	8.6

CWE

CWE-203

CAPEC

Click the CAPEC title to display a description

Black Box Reverse Engineering
An attacker discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs.

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

CVSS v3.1

Base:	4.3 (as of 24-08-2020 - 17:37)
Impact:	1.4
Exploitability:	2.8

Exploitability v3.1

Attack Complexity	Attack vector	Privileges Required	Scope	User Interaction
LOW	NETWORK	NONE	UNCHANGED	REQUIRED

Impact v3.1

Confidentiality	Integrity	Availability
LOW	NONE	NONE

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:N/A:N

cvss3-vector via4

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

refmap via4

bid	108484
misc	https://gitweb.torproject.org/tor-browser.git/commit/?id=cbb04b72c68272c2de42f157d40cd7d29a6b7b55 https://hackerone.com/reports/282748 https://trac.torproject.org/projects/tor/ticket/24056

Last major update

24-08-2020 - 17:37

Published

28-05-2019 - 03:29

Last modified

24-08-2020 - 17:37