Lucene search

K
redhatRedHatRHSA-2024:5328
HistoryAug 13, 2024 - 4:11 p.m.

(RHSA-2024:5328) Important: firefox security update

2024-08-1316:11:53
CWE-787
access.redhat.com
8
mozilla firefox
security fix
fullscreen notification dialog
out of bounds memory access
type confusion
webassembly
csp strict-dynamic bypass
missing permission check
uninitialized memory
use-after-free
document content
pk11_encrypt
cve-2024-7518
cve-2024-7519
cve-2024-7520
cve-2024-7521
cve-2024-7522
cve-2024-7524
cve-2024-7525
cve-2024-7526
cve-2024-7527
cve-2024-7528
cve-2024-7529
cve-2024-7531

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

9.6

Confidence

High

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

  • Firefox: 115.14/128.1 ESR ()

  • mozilla: Fullscreen notification dialog can be obscured by document content (CVE-2024-7518)

  • mozilla: Out of bounds memory access in graphics shared memory handling (CVE-2024-7519)

  • mozilla: Type confusion in WebAssembly (CVE-2024-7520)

  • mozilla: Incomplete WebAssembly exception handing (CVE-2024-7521)

  • mozilla: Out of bounds read in editor component (CVE-2024-7522)

  • mozilla: CSP strict-dynamic bypass using web-compatibility shims (CVE-2024-7524)

  • mozilla: Missing permission check when creating a StreamFilter (CVE-2024-7525)

  • mozilla: Uninitialized memory used by WebGL (CVE-2024-7526)

  • mozilla: Use-after-free in JavaScript garbage collection (CVE-2024-7527)

  • mozilla: Use-after-free in IndexedDB (CVE-2024-7528)

  • mozilla: Document content could partially obscure security prompts (CVE-2024-7529)

  • mozilla: nss: PK11_Encrypt using CKM_CHACHA20 can reveal plaintext on Intel Sandy Bridge machines (CVE-2024-7531)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected configurations

Vulners
Node
redhatfirefox-0Range115.14.0-2.el7_9
OR
redhatfirefoxRange115.14.0-2.el8_10
OR
redhatfirefox-0Range115.14.0-2.el8_2
OR
redhatfirefox-0Range115.14.0-2.el8_4
OR
redhatfirefox-0Range115.14.0-2.el8_6
OR
redhatfirefox-0Range115.14.0-2.el8_8
OR
redhatfirefoxRange115.14.0-2.el9_4
OR
redhatfirefox-0Range115.14.0-2.el9_0
OR
redhatfirefox-0Range115.14.0-2.el9_2
OR
redhatthunderbirdRange115.14.0-1.el8_10
OR
redhatthunderbird-0Range115.14.0-1.el8_2
OR
redhatthunderbird-0Range115.14.0-1.el8_4
OR
redhatthunderbird-0Range115.14.0-1.el8_6
OR
redhatthunderbird-0Range115.14.0-1.el8_8
OR
redhatthunderbirdRange115.14.0-1.el9_4
OR
redhatthunderbird-0Range115.14.0-1.el9_0
OR
redhatthunderbird-0Range115.14.0-1.el9_2
AND
redhatenterprise_linuxMatch8
OR
redhatenterprise_linuxMatch9
VendorProductVersionCPE
redhatfirefox-0*cpe:2.3:a:redhat:firefox-0:*:*:*:*:*:*:*:*
redhatfirefox*cpe:2.3:a:redhat:firefox:*:*:*:*:*:*:*:*
redhatthunderbird*cpe:2.3:a:redhat:thunderbird:*:*:*:*:*:*:*:*
redhatthunderbird-0*cpe:2.3:a:redhat:thunderbird-0:*:*:*:*:*:*:*:*
redhatenterprise_linux8cpe:2.3:o:redhat:enterprise_linux:8:*:*:*:*:*:*:*
redhatenterprise_linux9cpe:2.3:o:redhat:enterprise_linux:9:*:*:*:*:*:*:*

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

9.6

Confidence

High