Privacy Compromise in Tor Browser Due to Correlation Attack Vulnerability
CVE-2021-39246

6.1MEDIUM

Key Information:

Vendor

Torproject

Status
Tor Browser
Vendor
CVE Published:
24 September 2021

What is CVE-2021-39246?

The Tor Browser versions 10.5.6 and 11.x up to 11.0a4 are susceptible to a correlation attack that can jeopardize user privacy when visiting v2 onion addresses. This vulnerability allows the browser to log precise timestamps of visits to these onion services locally. An attacker might exploit this by matching these timestamps against data sourced from the targeted onion service or potentially from malicious sites within the Tor network, undermining the anonymity that Tor aims to provide.

References

https://github.com/sickcodes/security/blob/master/advisor...
x_refsource_MISC
https://sick.codes/sick-2021-111
x_refsource_MISC
https://www.privacyaffairs.com/cve-2021-39246-tor-vulnera...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.