CVE-2019-12383 — Observable Discrepancy in TOR Browser

CWE-203 — Observable Discrepancy4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.7%

top 27.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Torproject TOR Browser Debian Firefox Debian Firefox-esr

Timeline

PublishedMay 28

Latest updateMay 24

Description

Tor Browser before 8.0.1 has an information exposure vulnerability. It allows remote attackers to detect the browser's UI locale by measuring a button width, even if the user has a "Don't send my language" setting.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶NVDtorproject/tor_browser< 8.0.1

▶debiandebian/firefox

▶debiandebian/firefox-esr

Patches

Patch: gitweb.torproject.org ↗Patch: gitweb.torproject.org ↗

🔴Vulnerability Details

GHSA

GHSA-9c7r-v445-c52r: Tor Browser before 8↗2022-05-24

▶

OSV

CVE-2019-12383: Tor Browser before 8↗2019-05-28

▶

📋Vendor Advisories

Debian

CVE-2019-12383: firefox - Tor Browser before 8.0.1 has an information exposure vulnerability. It allows re...↗2019

▶