CVE-2019-12383 (GCVE-0-2019-12383)

Vulnerability from cvelistv5 – Published: 2019-05-28 02:21 – Updated: 2024-08-04 23:17
VLAI?
Summary
Tor Browser before 8.0.1 has an information exposure vulnerability. It allows remote attackers to detect the browser's UI locale by measuring a button width, even if the user has a "Don't send my language" setting.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:17:39.997Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://trac.torproject.org/projects/tor/ticket/24056"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/282748"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gitweb.torproject.org/tor-browser.git/commit/?id=cbb04b72c68272c2de42f157d40cd7d29a6b7b55"
          },
          {
            "name": "108484",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/108484"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Tor Browser before 8.0.1 has an information exposure vulnerability. It allows remote attackers to detect the browser\u0027s UI locale by measuring a button width, even if the user has a \"Don\u0027t send my language\" setting."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-05-29T08:06:02",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://trac.torproject.org/projects/tor/ticket/24056"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/282748"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gitweb.torproject.org/tor-browser.git/commit/?id=cbb04b72c68272c2de42f157d40cd7d29a6b7b55"
        },
        {
          "name": "108484",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/108484"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-12383",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Tor Browser before 8.0.1 has an information exposure vulnerability. It allows remote attackers to detect the browser\u0027s UI locale by measuring a button width, even if the user has a \"Don\u0027t send my language\" setting."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://trac.torproject.org/projects/tor/ticket/24056",
              "refsource": "MISC",
              "url": "https://trac.torproject.org/projects/tor/ticket/24056"
            },
            {
              "name": "https://hackerone.com/reports/282748",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/282748"
            },
            {
              "name": "https://gitweb.torproject.org/tor-browser.git/commit/?id=cbb04b72c68272c2de42f157d40cd7d29a6b7b55",
              "refsource": "MISC",
              "url": "https://gitweb.torproject.org/tor-browser.git/commit/?id=cbb04b72c68272c2de42f157d40cd7d29a6b7b55"
            },
            {
              "name": "108484",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/108484"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-12383",
    "datePublished": "2019-05-28T02:21:05",
    "dateReserved": "2019-05-27T00:00:00",
    "dateUpdated": "2024-08-04T23:17:39.997Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:torproject:tor_browser:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"8.0.1\", \"matchCriteriaId\": \"85D4B891-7C98-4E0D-9D18-8B78B4D620C0\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Tor Browser before 8.0.1 has an information exposure vulnerability. It allows remote attackers to detect the browser\u0027s UI locale by measuring a button width, even if the user has a \\\"Don\u0027t send my language\\\" setting.\"}, {\"lang\": \"es\", \"value\": \"Tor Browser anterior de la versi\\u00f3n 8.0.1, presenta una vulnerabilidad de exposici\\u00f3n de informaci\\u00f3n. Permite a atacantes remotos detectar la interfaz de usuario (UI) local del navegador mediante la medici\\u00f3n de el ancho de Buttom, incluso si el usuario tiene una configuraci\\u00f3n de \\\"Don\u0027t send my language\\\".\"}]",
      "id": "CVE-2019-12383",
      "lastModified": "2024-11-21T04:22:43.203",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2019-05-28T03:29:00.513",
      "references": "[{\"url\": \"http://www.securityfocus.com/bid/108484\", \"source\": \"cve@mitre.org\", \"tags\": [\"Broken Link\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://gitweb.torproject.org/tor-browser.git/commit/?id=cbb04b72c68272c2de42f157d40cd7d29a6b7b55\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mailing List\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://hackerone.com/reports/282748\", \"source\": \"cve@mitre.org\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://trac.torproject.org/projects/tor/ticket/24056\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/108484\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://gitweb.torproject.org/tor-browser.git/commit/?id=cbb04b72c68272c2de42f157d40cd7d29a6b7b55\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://hackerone.com/reports/282748\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://trac.torproject.org/projects/tor/ticket/24056\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-203\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-12383\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-05-28T03:29:00.513\",\"lastModified\":\"2024-11-21T04:22:43.203\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Tor Browser before 8.0.1 has an information exposure vulnerability. It allows remote attackers to detect the browser\u0027s UI locale by measuring a button width, even if the user has a \\\"Don\u0027t send my language\\\" setting.\"},{\"lang\":\"es\",\"value\":\"Tor Browser anterior de la versi\u00f3n 8.0.1, presenta una vulnerabilidad de exposici\u00f3n de informaci\u00f3n. Permite a atacantes remotos detectar la interfaz de usuario (UI) local del navegador mediante la medici\u00f3n de el ancho de Buttom, incluso si el usuario tiene una configuraci\u00f3n de \\\"Don\u0027t send my language\\\".\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-203\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:torproject:tor_browser:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.0.1\",\"matchCriteriaId\":\"85D4B891-7C98-4E0D-9D18-8B78B4D620C0\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/108484\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://gitweb.torproject.org/tor-browser.git/commit/?id=cbb04b72c68272c2de42f157d40cd7d29a6b7b55\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/282748\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://trac.torproject.org/projects/tor/ticket/24056\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/108484\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://gitweb.torproject.org/tor-browser.git/commit/?id=cbb04b72c68272c2de42f157d40cd7d29a6b7b55\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/282748\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://trac.torproject.org/projects/tor/ticket/24056\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.