Vulnerability Details : CVE-2020-8276
The implementation of Brave Desktop's privacy-preserving analytics system (P3A) between 1.1 and 1.18.35 logged the timestamp of when the user last opened an incognito window, including Tor windows. The intended behavior was to log the timestamp for incognito windows excluding Tor windows. Note that if a user has P3A enabled, the timestamp is not sent to Brave's server, but rather a value from:Used in last 24hUsed in last week but not 24hUsed in last 28 days but not weekEver used but not in last 28 daysNever usedThe privacy risk is low because a local attacker with disk access cannot tell if the timestamp corresponds to a Tor window or a non-Tor incognito window.
Products affected by CVE-2020-8276
- cpe:2.3:a:brave:brave:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-8276
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-8276
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST | |
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2020-8276
-
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Assigned by:
- nvd@nist.gov (Primary)
- support@hackerone.com (Secondary)
References for CVE-2020-8276
-
https://hackerone.com/reports/1024668
#1024668 Brave Browser potentially logs the last time a Tor window was usedExploit;Issue Tracking;Third Party Advisory
Jump to