Vulnerability-Lookup

CVE-2024-1551 (GCVE-0-2024-1551)

Vulnerability from cvelistv5 – Published: 2024-02-20 13:21 – Updated: 2025-02-13 17:27

Summary

Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie response headers that would have been honored by the browser. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.

Severity

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

Multipart HTTP Responses would accept the Set-Cookie header in response parts

Assigner

mozilla

References

6 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=1864385
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://lists.debian.org/debian-lts-announce/2024…
https://lists.debian.org/debian-lts-announce/2024…

Impacted products

3 products

Vendor	Product	Version
Mozilla	Firefox	Affected: unspecified , < 123 (custom)
Mozilla	Firefox ESR	Affected: unspecified , < 115.8 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 115.8 (custom)

Credits

Johan Carlsson

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-1551",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-21T19:24:43.029482Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-565",
                "description": "CWE-565 Reliance on Cookies without Validation and Integrity Checking",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-19T22:09:39.430Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T18:40:21.333Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1864385"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2024-05/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2024-06/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2024-07/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "123",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "115.8",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "115.8",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Johan Carlsson"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie response headers that would have been honored by the browser. This vulnerability affects Firefox \u003c 123, Firefox ESR \u003c 115.8, and Thunderbird \u003c 115.8."
            }
          ],
          "value": "Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie response headers that would have been honored by the browser. This vulnerability affects Firefox \u003c 123, Firefox ESR \u003c 115.8, and Thunderbird \u003c 115.8."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Multipart HTTP Responses would accept the Set-Cookie header in response parts",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-04T09:05:54.814Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1864385"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-05/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-06/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-07/"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2024-1551",
    "datePublished": "2024-02-20T13:21:36.343Z",
    "dateReserved": "2024-02-15T18:01:51.754Z",
    "dateUpdated": "2025-02-13T17:27:40.658Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-1551",
      "date": "2026-05-26",
      "epss": "0.00291",
      "percentile": "0.52507"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie response headers that would have been honored by the browser. This vulnerability affects Firefox \u003c 123, Firefox ESR \u003c 115.8, and Thunderbird \u003c 115.8.\"}, {\"lang\": \"es\", \"value\": \"Los encabezados de respuesta Set-Cookie se respetaban incorrectamente en las respuestas HTTP de varias partes. Si un atacante pudiera controlar el encabezado de respuesta Content-Type, as\\u00ed como controlar parte del cuerpo de la respuesta, podr\\u00eda inyectar encabezados de respuesta Set-Cookie que el navegador habr\\u00eda respetado. Esta vulnerabilidad afecta a Firefox \u0026lt; 123, Firefox ESR \u0026lt; 115.8 y Thunderbird \u0026lt; 115.8.\"}]",
      "id": "CVE-2024-1551",
      "lastModified": "2024-11-21T08:50:48.600",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}]}",
      "published": "2024-02-20T14:15:08.790",
      "references": "[{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1864385\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-05/\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-06/\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-07/\", \"source\": \"security@mozilla.org\"}, {\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1864385\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-05/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-06/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-07/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security@mozilla.org",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-565\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-1551\",\"sourceIdentifier\":\"security@mozilla.org\",\"published\":\"2024-02-20T14:15:08.790\",\"lastModified\":\"2025-04-02T20:12:09.320\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie response headers that would have been honored by the browser. This vulnerability affects Firefox \u003c 123, Firefox ESR \u003c 115.8, and Thunderbird \u003c 115.8.\"},{\"lang\":\"es\",\"value\":\"Los encabezados de respuesta Set-Cookie se respetaban incorrectamente en las respuestas HTTP de varias partes. Si un atacante pudiera controlar el encabezado de respuesta Content-Type, as\u00ed como controlar parte del cuerpo de la respuesta, podr\u00eda inyectar encabezados de respuesta Set-Cookie que el navegador habr\u00eda respetado. Esta vulnerabilidad afecta a Firefox \u0026lt; 123, Firefox ESR \u0026lt; 115.8 y Thunderbird \u0026lt; 115.8.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-565\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*\",\"versionEndExcluding\":\"115.8.0\",\"matchCriteriaId\":\"355C0EEB-8EF2-4464-BDD4-7616AA6A65FA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*\",\"versionEndExcluding\":\"123.0\",\"matchCriteriaId\":\"DD7E737F-745F-4A07-B4E3-B51D2DB6C96F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"115.8.0\",\"matchCriteriaId\":\"7380CBFA-8328-4F35-AE4F-46482C77BEF6\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1864385\",\"source\":\"security@mozilla.org\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html\",\"source\":\"security@mozilla.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html\",\"source\":\"security@mozilla.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-05/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-06/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-07/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1864385\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-05/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-06/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2024-07/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1864385\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-05/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-06/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-07/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T18:40:21.333Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-1551\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-21T19:24:43.029482Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-565\", \"description\": \"CWE-565 Reliance on Cookies without Validation and Integrity Checking\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-05T15:20:37.518Z\"}}], \"cna\": {\"credits\": [{\"lang\": \"en\", \"value\": \"Johan Carlsson\"}], \"affected\": [{\"vendor\": \"Mozilla\", \"product\": \"Firefox\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"123\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Firefox ESR\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"115.8\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Thunderbird\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"115.8\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1864385\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-05/\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-06/\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2024-07/\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie response headers that would have been honored by the browser. This vulnerability affects Firefox \u003c 123, Firefox ESR \u003c 115.8, and Thunderbird \u003c 115.8.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie response headers that would have been honored by the browser. This vulnerability affects Firefox \u003c 123, Firefox ESR \u003c 115.8, and Thunderbird \u003c 115.8.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Multipart HTTP Responses would accept the Set-Cookie header in response parts\"}]}], \"providerMetadata\": {\"orgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"shortName\": \"mozilla\", \"dateUpdated\": \"2024-02-20T19:23:38.186Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-1551\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-19T22:09:39.430Z\", \"dateReserved\": \"2024-02-15T18:01:51.754Z\", \"assignerOrgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"datePublished\": \"2024-02-20T13:21:36.343Z\", \"assignerShortName\": \"mozilla\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2024-AVI-0150

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Mozilla. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Mozilla	Firefox ESR	Firefox ESR versions antérieures à 115.8
Mozilla	Thunderbird	Thunderbird versions antérieures à 115.8
Mozilla	Firefox	Firefox versions antérieures à 123

References

Title

Publication Time

CERTFR-2024-AVI-0150

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Mozilla	Firefox ESR	Firefox ESR versions antérieures à 115.8
Mozilla	Thunderbird	Thunderbird versions antérieures à 115.8
Mozilla	Firefox	Firefox versions antérieures à 123

References

Title

Publication Time

alsa-2024:0952

Vulnerability from osv_almalinux

Published

2024-02-22 00:00

Modified

2024-02-28 15:59

Summary

Important: firefox security update

Details

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.8.0 ESR.

Security Fix(es):

Mozilla: Out-of-bounds memory read in networking channels (CVE-2024-1546)
Mozilla: Alert dialog could have been spoofed on another site (CVE-2024-1547)
Mozilla: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8 (CVE-2024-1553)
Mozilla: Fullscreen Notification could have been hidden by select element (CVE-2024-1548)
Mozilla: Custom cursor could obscure the permission dialog (CVE-2024-1549)
Mozilla: Mouse cursor re-positioned unexpectedly could have led to unintended permission grants (CVE-2024-1550)
Mozilla: Multipart HTTP Responses would accept the Set-Cookie header in response parts (CVE-2024-1551)
Mozilla: Incorrect code generation on 32-bit ARM devices (CVE-2024-1552)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:0952	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-1546	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1547	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1548	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1549	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1550	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1551	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1552	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1553	REPORT
	https://bugzilla.redhat.com/2265349	REPORT
	https://bugzilla.redhat.com/2265350	REPORT
	https://bugzilla.redhat.com/2265351	REPORT
	https://bugzilla.redhat.com/2265352	REPORT
	https://bugzilla.redhat.com/2265353	REPORT
	https://bugzilla.redhat.com/2265354	REPORT
	https://bugzilla.redhat.com/2265355	REPORT
	https://bugzilla.redhat.com/2265356	REPORT
	https://errata.almalinux.org/9/ALSA-2024-0952.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "firefox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "115.8.0-1.el9_3.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "firefox-x11"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "115.8.0-1.el9_3.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 115.8.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Out-of-bounds memory read in networking channels (CVE-2024-1546)\n* Mozilla: Alert dialog could have been spoofed on another site (CVE-2024-1547)\n* Mozilla: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8 (CVE-2024-1553)\n* Mozilla: Fullscreen Notification could have been hidden by select element (CVE-2024-1548)\n* Mozilla: Custom cursor could obscure the permission dialog (CVE-2024-1549)\n* Mozilla: Mouse cursor re-positioned unexpectedly could have led to unintended permission grants (CVE-2024-1550)\n* Mozilla: Multipart HTTP Responses would accept the Set-Cookie header in response parts (CVE-2024-1551)\n* Mozilla: Incorrect code generation on 32-bit ARM devices (CVE-2024-1552)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:0952",
  "modified": "2024-02-28T15:59:36Z",
  "published": "2024-02-22T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:0952"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1546"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1547"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1548"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1549"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1550"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1551"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1552"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1553"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265349"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265350"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265351"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265352"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265353"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265354"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265355"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265356"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2024-0952.html"
    }
  ],
  "related": [
    "CVE-2024-1546",
    "CVE-2024-1547",
    "CVE-2024-1553",
    "CVE-2024-1548",
    "CVE-2024-1549",
    "CVE-2024-1550",
    "CVE-2024-1551",
    "CVE-2024-1552"
  ],
  "summary": "Important: firefox security update"
}

alsa-2024:0955

Vulnerability from osv_almalinux

Published

2024-02-26 00:00

Modified

2024-02-28 15:49

Summary

Important: firefox security update

Details

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.8.0 ESR.

Security Fix(es):

Mozilla: Out-of-bounds memory read in networking channels (CVE-2024-1546)
Mozilla: Alert dialog could have been spoofed on another site (CVE-2024-1547)
Mozilla: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8 (CVE-2024-1553)
Mozilla: Fullscreen Notification could have been hidden by select element (CVE-2024-1548)
Mozilla: Custom cursor could obscure the permission dialog (CVE-2024-1549)
Mozilla: Mouse cursor re-positioned unexpectedly could have led to unintended permission grants (CVE-2024-1550)
Mozilla: Multipart HTTP Responses would accept the Set-Cookie header in response parts (CVE-2024-1551)
Mozilla: Incorrect code generation on 32-bit ARM devices (CVE-2024-1552)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:0955	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-1546	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1547	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1548	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1549	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1550	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1551	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1552	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1553	REPORT
	https://bugzilla.redhat.com/2265349	REPORT
	https://bugzilla.redhat.com/2265350	REPORT
	https://bugzilla.redhat.com/2265351	REPORT
	https://bugzilla.redhat.com/2265352	REPORT
	https://bugzilla.redhat.com/2265353	REPORT
	https://bugzilla.redhat.com/2265354	REPORT
	https://bugzilla.redhat.com/2265355	REPORT
	https://bugzilla.redhat.com/2265356	REPORT
	https://errata.almalinux.org/8/ALSA-2024-0955.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "firefox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "115.8.0-1.el8_9.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 115.8.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Out-of-bounds memory read in networking channels (CVE-2024-1546)\n* Mozilla: Alert dialog could have been spoofed on another site (CVE-2024-1547)\n* Mozilla: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8 (CVE-2024-1553)\n* Mozilla: Fullscreen Notification could have been hidden by select element (CVE-2024-1548)\n* Mozilla: Custom cursor could obscure the permission dialog (CVE-2024-1549)\n* Mozilla: Mouse cursor re-positioned unexpectedly could have led to unintended permission grants (CVE-2024-1550)\n* Mozilla: Multipart HTTP Responses would accept the Set-Cookie header in response parts (CVE-2024-1551)\n* Mozilla: Incorrect code generation on 32-bit ARM devices (CVE-2024-1552)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:0955",
  "modified": "2024-02-28T15:49:38Z",
  "published": "2024-02-26T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:0955"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1546"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1547"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1548"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1549"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1550"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1551"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1552"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1553"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265349"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265350"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265351"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265352"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265353"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265354"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265355"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265356"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2024-0955.html"
    }
  ],
  "related": [
    "CVE-2024-1546",
    "CVE-2024-1547",
    "CVE-2024-1553",
    "CVE-2024-1548",
    "CVE-2024-1549",
    "CVE-2024-1550",
    "CVE-2024-1551",
    "CVE-2024-1552"
  ],
  "summary": "Important: firefox security update"
}

alsa-2024:0963

Vulnerability from osv_almalinux

Published

2024-02-26 00:00

Modified

2024-02-28 15:36

Summary

Important: thunderbird security update

Details

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.8.0.

Security Fix(es):

Mozilla: Out-of-bounds memory read in networking channels (CVE-2024-1546)
Mozilla: Alert dialog could have been spoofed on another site (CVE-2024-1547)
Mozilla: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8 (CVE-2024-1553)
Mozilla: Fullscreen Notification could have been hidden by select element (CVE-2024-1548)
Mozilla: Custom cursor could obscure the permission dialog (CVE-2024-1549)
Mozilla: Mouse cursor re-positioned unexpectedly could have led to unintended permission grants (CVE-2024-1550)
Mozilla: Multipart HTTP Responses would accept the Set-Cookie header in response parts (CVE-2024-1551)
Mozilla: Incorrect code generation on 32-bit ARM devices (CVE-2024-1552)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:0963	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-1546	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1547	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1548	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1549	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1550	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1551	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1552	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1553	REPORT
	https://bugzilla.redhat.com/2265349	REPORT
	https://bugzilla.redhat.com/2265350	REPORT
	https://bugzilla.redhat.com/2265351	REPORT
	https://bugzilla.redhat.com/2265352	REPORT
	https://bugzilla.redhat.com/2265353	REPORT
	https://bugzilla.redhat.com/2265354	REPORT
	https://bugzilla.redhat.com/2265355	REPORT
	https://bugzilla.redhat.com/2265356	REPORT
	https://errata.almalinux.org/9/ALSA-2024-0963.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "115.8.0-1.el9_3.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 115.8.0.\n\nSecurity Fix(es):\n\n* Mozilla: Out-of-bounds memory read in networking channels (CVE-2024-1546)\n* Mozilla: Alert dialog could have been spoofed on another site (CVE-2024-1547)\n* Mozilla: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8 (CVE-2024-1553)\n* Mozilla: Fullscreen Notification could have been hidden by select element (CVE-2024-1548)\n* Mozilla: Custom cursor could obscure the permission dialog (CVE-2024-1549)\n* Mozilla: Mouse cursor re-positioned unexpectedly could have led to unintended permission grants (CVE-2024-1550)\n* Mozilla: Multipart HTTP Responses would accept the Set-Cookie header in response parts (CVE-2024-1551)\n* Mozilla: Incorrect code generation on 32-bit ARM devices (CVE-2024-1552)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:0963",
  "modified": "2024-02-28T15:36:17Z",
  "published": "2024-02-26T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:0963"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1546"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1547"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1548"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1549"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1550"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1551"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1552"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1553"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265349"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265350"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265351"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265352"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265353"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265354"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265355"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265356"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2024-0963.html"
    }
  ],
  "related": [
    "CVE-2024-1546",
    "CVE-2024-1547",
    "CVE-2024-1553",
    "CVE-2024-1548",
    "CVE-2024-1549",
    "CVE-2024-1550",
    "CVE-2024-1551",
    "CVE-2024-1552"
  ],
  "summary": "Important: thunderbird security update"
}

alsa-2024:0964

Vulnerability from osv_almalinux

Published

2024-02-26 00:00

Modified

2024-02-28 15:29

Summary

Important: thunderbird security update

Details

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.8.0.

Security Fix(es):

Mozilla: Out-of-bounds memory read in networking channels (CVE-2024-1546)
Mozilla: Alert dialog could have been spoofed on another site (CVE-2024-1547)
Mozilla: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8 (CVE-2024-1553)
Mozilla: Fullscreen Notification could have been hidden by select element (CVE-2024-1548)
Mozilla: Custom cursor could obscure the permission dialog (CVE-2024-1549)
Mozilla: Mouse cursor re-positioned unexpectedly could have led to unintended permission grants (CVE-2024-1550)
Mozilla: Multipart HTTP Responses would accept the Set-Cookie header in response parts (CVE-2024-1551)
Mozilla: Incorrect code generation on 32-bit ARM devices (CVE-2024-1552)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:0964	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-1546	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1547	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1548	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1549	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1550	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1551	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1552	REPORT
	https://access.redhat.com/security/cve/CVE-2024-1553	REPORT
	https://bugzilla.redhat.com/2265349	REPORT
	https://bugzilla.redhat.com/2265350	REPORT
	https://bugzilla.redhat.com/2265351	REPORT
	https://bugzilla.redhat.com/2265352	REPORT
	https://bugzilla.redhat.com/2265353	REPORT
	https://bugzilla.redhat.com/2265354	REPORT
	https://bugzilla.redhat.com/2265355	REPORT
	https://bugzilla.redhat.com/2265356	REPORT
	https://errata.almalinux.org/8/ALSA-2024-0964.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "115.8.0-1.el8_9.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 115.8.0.\n\nSecurity Fix(es):\n\n* Mozilla: Out-of-bounds memory read in networking channels (CVE-2024-1546)\n* Mozilla: Alert dialog could have been spoofed on another site (CVE-2024-1547)\n* Mozilla: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8 (CVE-2024-1553)\n* Mozilla: Fullscreen Notification could have been hidden by select element (CVE-2024-1548)\n* Mozilla: Custom cursor could obscure the permission dialog (CVE-2024-1549)\n* Mozilla: Mouse cursor re-positioned unexpectedly could have led to unintended permission grants (CVE-2024-1550)\n* Mozilla: Multipart HTTP Responses would accept the Set-Cookie header in response parts (CVE-2024-1551)\n* Mozilla: Incorrect code generation on 32-bit ARM devices (CVE-2024-1552)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:0964",
  "modified": "2024-02-28T15:29:38Z",
  "published": "2024-02-26T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:0964"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1546"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1547"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1548"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1549"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1550"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1551"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1552"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1553"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265349"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265350"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265351"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265352"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265353"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265354"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265355"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2265356"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2024-0964.html"
    }
  ],
  "related": [
    "CVE-2024-1546",
    "CVE-2024-1547",
    "CVE-2024-1553",
    "CVE-2024-1548",
    "CVE-2024-1549",
    "CVE-2024-1550",
    "CVE-2024-1551",
    "CVE-2024-1552"
  ],
  "summary": "Important: thunderbird security update"
}

BDU:2024-01663

Vulnerability from fstec - Published: 20.02.2024

Title

Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с неверной нейтрализацией особых элементов в выходных данных, используемых входящим компонентом, позволяющая нарушителю внедрить произвольные HTTP-заголовки

Description

Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird связана с неверной нейтрализацией особых элементов в выходных данных, используемых входящим компонентом. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, внедрить произвольные HTTP-заголовки, такие как Set-Cookie

Severity


                    
                      AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Vendor

Red Hat Inc., ООО «РусБИТех-Астра», Сообщество свободного программного обеспечения, Canonical Ltd., ООО «Ред Софт», АО «ИВК», Mozilla Corp., АО "НППКТ"

Software Name

Red Hat Enterprise Linux, Red Hat Enterprise Linux Server, Astra Linux Special Edition (запись в едином реестре российских программ №369), Debian GNU/Linux, Ubuntu, Red Hat Enterprise Linux Workstation, РЕД ОС (запись в едином реестре российских программ №3751), АЛЬТ СП 10, Red Hat Enterprise Linux Server AUS, Red Hat Enterprise Linux Server TUS, Firefox ESR, Thunderbird, Firefox, ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913)

Software Version

Desktop 7 (Red Hat Enterprise Linux), 7 (Red Hat Enterprise Linux), 7 (Red Hat Enterprise Linux Server), 1.6 «Смоленск» (Astra Linux Special Edition), 8 (Red Hat Enterprise Linux), 10 (Debian GNU/Linux), 20.04 LTS (Ubuntu), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 7.0 (Red Hat Enterprise Linux Workstation), 7.3 (РЕД ОС), 1.7 (Astra Linux Special Edition), 9 (Red Hat Enterprise Linux), 4.7 (Astra Linux Special Edition), 8.6 Extended Update Support (Red Hat Enterprise Linux), 9.0 (Red Hat Enterprise Linux), - (АЛЬТ СП 10), 8.8 Extended Update Support (Red Hat Enterprise Linux), 8.2 (Red Hat Enterprise Linux Server AUS), 8.2 (Red Hat Enterprise Linux Server TUS), до 115.8 (Firefox ESR), до 115.8 (Thunderbird), до 123 (Firefox), 9.2 (Red Hat Enterprise Linux), до 2.10 (ОСОН ОСнова Оnyx)

Possible Mitigations

Использование рекомендаций: Для программных продуктов Mozilla Corp.: https://bugzilla.mozilla.org/show_bug.cgi?id=1864385 https://www.mozilla.org/security/advisories/mfsa2024-05/ https://www.mozilla.org/security/advisories/mfsa2024-06/ https://www.mozilla.org/security/advisories/mfsa2024-07/ Для программных продуктов Red Hat Inc.: https://access.redhat.com/security/cve/CVE-2024-1551 Для Debian GNU/Linux: https://security-tracker.debian.org/tracker/CVE-2024-1551 Для Ubuntu: https://ubuntu.com/security/notices/USN-6649-1 Для ОС Альт 8 СП (релиз 10): установка обновления из публичного репозитория программного средства Для ОСОН ОСнова Оnyx (версия 2.10): Обновление программного обеспечения thunderbird до версии 1:115.9.0+repack-1~deb10u1.osnova1 Обновление программного обеспечения firefox-esr до версии 115.8.0esr+repack-1~deb10u1.osnova1 Для ОС Astra Linux: - обновить пакет firefox до 127.0.2+build1-0ubuntu0.20.04.1~mt1+ci202407030910+astra13 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2024-0830SE17 - обновить пакет thunderbird до 1:115.12.0+build3-0ubuntu0.20.04.1+ci202406211519+astra2 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2024-0830SE17 Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/ Для Astra Linux Special Edition 1.6 «Смоленск»:: - обновить пакет thunderbird до 1:115.12.1+build1-0ubuntu0.20.04.1~mt1+ci202406211521+astra2 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20241017SE16 - обновить пакет firefox до 128.0+build2-0ubuntu0.20.04.1+ci202407111318+astra13 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20241017SE16 Для Astra Linux Special Edition 4.7 для архитектуры ARM: - обновить пакет firefox до 131.0.2+build1-0ubuntu0.20.04.1~mt1+ci202410111226+astra13 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-1031SE47 - обновить пакет thunderbird до 1:115.16.0+build2-0ubuntu0.20.04.1~mt1+ci202410141704+astra2 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-1031SE47

Reference

https://bugzilla.mozilla.org/show_bug.cgi?id=1864385 https://www.mozilla.org/security/advisories/mfsa2024-05/ https://www.mozilla.org/security/advisories/mfsa2024-06/ https://www.mozilla.org/security/advisories/mfsa2024-07/ https://access.redhat.com/security/cve/CVE-2024-1551 https://security-tracker.debian.org/tracker/CVE-2024-1551 https://ubuntu.com/security/notices/USN-6649-1 https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.10/ https://wiki.astralinux.ru/astra-linux-se17-bulletin-2024-0830SE17 http://repo.red-soft.ru/redos/7.3c/x86_64/updates/ https://wiki.astralinux.ru/astra-linux-se16-bulletin-20241017SE16 https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-1031SE47

CWE

CWE-74

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Red Hat Inc., \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, Canonical Ltd., \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb, Mozilla Corp., \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\"",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "Desktop 7 (Red Hat Enterprise Linux), 7 (Red Hat Enterprise Linux), 7 (Red Hat Enterprise Linux Server), 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Special Edition), 8 (Red Hat Enterprise Linux), 10 (Debian GNU/Linux), 20.04 LTS (Ubuntu), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 7.0 (Red Hat Enterprise Linux Workstation), 7.3 (\u0420\u0415\u0414 \u041e\u0421), 1.7 (Astra Linux Special Edition), 9 (Red Hat Enterprise Linux), 4.7 (Astra Linux Special Edition), 8.6 Extended Update Support (Red Hat Enterprise Linux), 9.0 (Red Hat Enterprise Linux), - (\u0410\u041b\u042c\u0422 \u0421\u041f 10), 8.8 Extended Update Support (Red Hat Enterprise Linux), 8.2 (Red Hat Enterprise Linux Server AUS), 8.2 (Red Hat Enterprise Linux Server TUS), \u0434\u043e 115.8 (Firefox ESR), \u0434\u043e 115.8 (Thunderbird), \u0434\u043e 123 (Firefox), 9.2 (Red Hat Enterprise Linux), \u0434\u043e 2.10 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Mozilla Corp.:\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1864385\t\nhttps://www.mozilla.org/security/advisories/mfsa2024-05/\t\nhttps://www.mozilla.org/security/advisories/mfsa2024-06/\t\nhttps://www.mozilla.org/security/advisories/mfsa2024-07/\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/CVE-2024-1551\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2024-1551\n\n\u0414\u043b\u044f Ubuntu:\nhttps://ubuntu.com/security/notices/USN-6649-1\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u043b\u044c\u0442 8 \u0421\u041f (\u0440\u0435\u043b\u0438\u0437 10): \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0432\u0435\u0440\u0441\u0438\u044f 2.10):\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f thunderbird \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 1:115.9.0+repack-1~deb10u1.osnova1\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f firefox-esr \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 115.8.0esr+repack-1~deb10u1.osnova1\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n- \u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 firefox \u0434\u043e 127.0.2+build1-0ubuntu0.20.04.1~mt1+ci202407030910+astra13 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2024-0830SE17\n- \u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 thunderbird \u0434\u043e 1:115.12.0+build3-0ubuntu0.20.04.1+ci202406211519+astra2 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2024-0830SE17\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/\n\n\u0414\u043b\u044f Astra Linux Special Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb::\n- \u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 thunderbird \u0434\u043e 1:115.12.1+build1-0ubuntu0.20.04.1~mt1+ci202406211521+astra2 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20241017SE16\n- \u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 firefox \u0434\u043e 128.0+build2-0ubuntu0.20.04.1+ci202407111318+astra13 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20241017SE16\n\n\u0414\u043b\u044f Astra Linux Special Edition 4.7 \u0434\u043b\u044f \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b ARM:\n- \u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 firefox \u0434\u043e 131.0.2+build1-0ubuntu0.20.04.1~mt1+ci202410111226+astra13 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-1031SE47\n- \u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 thunderbird \u0434\u043e 1:115.16.0+build2-0ubuntu0.20.04.1~mt1+ci202410141704+astra2 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-1031SE47",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "20.02.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "11.11.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "29.02.2024",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-01663",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2024-1551",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Red Hat Enterprise Linux, Red Hat Enterprise Linux Server, Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Debian GNU/Linux, Ubuntu, Red Hat Enterprise Linux Workstation, \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u0410\u041b\u042c\u0422 \u0421\u041f 10, Red Hat Enterprise Linux Server AUS, Red Hat Enterprise Linux Server TUS, Firefox ESR, Thunderbird, Firefox, \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Red Hat Inc. Red Hat Enterprise Linux Desktop 7 , Red Hat Inc. Red Hat Enterprise Linux 7 , Red Hat Inc. Red Hat Enterprise Linux Server 7 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Red Hat Inc. Red Hat Enterprise Linux 8 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , Canonical Ltd. Ubuntu 20.04 LTS , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 12 , Red Hat Inc. Red Hat Enterprise Linux Workstation 7.0 , \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.7  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Red Hat Inc. Red Hat Enterprise Linux 9 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 4.7 ARM (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Red Hat Inc. Red Hat Enterprise Linux 8.6 Extended Update Support , Red Hat Inc. Red Hat Enterprise Linux 9.0 , \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u041b\u042c\u0422 \u0421\u041f 10 - , Red Hat Inc. Red Hat Enterprise Linux 8.8 Extended Update Support , Red Hat Inc. Red Hat Enterprise Linux Server AUS 8.2 , Red Hat Inc. Red Hat Enterprise Linux Server TUS 8.2 , Red Hat Inc. Red Hat Enterprise Linux 9.2 , \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.10  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u0432 Mozilla Firefox, Firefox ESR \u0438 \u043f\u043e\u0447\u0442\u043e\u0432\u043e\u0433\u043e \u043a\u043b\u0438\u0435\u043d\u0442\u0430 Thunderbird, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f  \u0441 \u043d\u0435\u0432\u0435\u0440\u043d\u043e\u0439 \u043d\u0435\u0439\u0442\u0440\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0435\u0439 \u043e\u0441\u043e\u0431\u044b\u0445 \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u043e\u0432 \u0432 \u0432\u044b\u0445\u043e\u0434\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u0445 \u0432\u0445\u043e\u0434\u044f\u0449\u0438\u043c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u043e\u043c, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u043d\u0435\u0434\u0440\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 HTTP-\u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0432\u0435\u0440\u043d\u0430\u044f \u043d\u0435\u0439\u0442\u0440\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f \u043e\u0441\u043e\u0431\u044b\u0445 \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u043e\u0432 \u0432 \u0432\u044b\u0445\u043e\u0434\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u0445 \u0432\u0445\u043e\u0434\u044f\u0449\u0438\u043c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u043e\u043c (\u00ab\u0438\u043d\u044a\u0435\u043a\u0446\u0438\u044f\u00bb) (CWE-74)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u0432 Mozilla Firefox, Firefox ESR \u0438 \u043f\u043e\u0447\u0442\u043e\u0432\u043e\u0433\u043e \u043a\u043b\u0438\u0435\u043d\u0442\u0430 Thunderbird \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0432\u0435\u0440\u043d\u043e\u0439 \u043d\u0435\u0439\u0442\u0440\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0435\u0439 \u043e\u0441\u043e\u0431\u044b\u0445 \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u043e\u0432 \u0432 \u0432\u044b\u0445\u043e\u0434\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u0445 \u0432\u0445\u043e\u0434\u044f\u0449\u0438\u043c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u043e\u043c. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u043d\u0435\u0434\u0440\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 HTTP-\u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0438, \u0442\u0430\u043a\u0438\u0435 \u043a\u0430\u043a Set-Cookie",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://bugzilla.mozilla.org/show_bug.cgi?id=1864385\t\nhttps://www.mozilla.org/security/advisories/mfsa2024-05/\t\nhttps://www.mozilla.org/security/advisories/mfsa2024-06/\t\nhttps://www.mozilla.org/security/advisories/mfsa2024-07/\nhttps://access.redhat.com/security/cve/CVE-2024-1551\nhttps://security-tracker.debian.org/tracker/CVE-2024-1551\nhttps://ubuntu.com/security/notices/USN-6649-1\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.10/\nhttps://wiki.astralinux.ru/astra-linux-se17-bulletin-2024-0830SE17\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/\nhttps://wiki.astralinux.ru/astra-linux-se16-bulletin-20241017SE16\nhttps://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-1031SE47",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-74",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,4)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,1)"
}

CNVD-2024-12551

Vulnerability from cnvd - Published: 2024-03-11

Title

Mozilla Firefox HTTP头注入漏洞

Description

Mozilla Firefox是美国Mozilla基金会的一款开源Web浏览器。 Mozilla Firefox存在HTTP头注入漏洞，该漏洞源于Set-Cookie响应报头在多部分HTTP响应中被错误地执行，攻击者可利用该漏洞注入浏览器所认可的Set-Cookie响应头。

Severity

高

Patch Name

Mozilla Firefox HTTP头注入漏洞的补丁

Patch Description

Mozilla Firefox是美国Mozilla基金会的一款开源Web浏览器。 Mozilla Firefox存在HTTP头注入漏洞，该漏洞源于Set-Cookie响应报头在多部分HTTP响应中被错误地执行，攻击者可利用该漏洞注入浏览器所认可的Set-Cookie响应头。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/

Reference

https://bugzilla.mozilla.org/show_bug.cgi?id=1864385

Impacted products

Name
['mozilla Firefox <123', 'Mozilla Firefox ESR <115.8', 'Mozilla Thunderbird <115.8']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-1551",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-1551"
    }
  },
  "description": "Mozilla Firefox\u662f\u7f8e\u56fdMozilla\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u5f00\u6e90Web\u6d4f\u89c8\u5668\u3002\n\nMozilla Firefox\u5b58\u5728HTTP\u5934\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eSet-Cookie\u54cd\u5e94\u62a5\u5934\u5728\u591a\u90e8\u5206HTTP\u54cd\u5e94\u4e2d\u88ab\u9519\u8bef\u5730\u6267\u884c\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u6d4f\u89c8\u5668\u6240\u8ba4\u53ef\u7684Set-Cookie\u54cd\u5e94\u5934\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2024-05/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-12551",
  "openTime": "2024-03-11",
  "patchDescription": "Mozilla Firefox\u662f\u7f8e\u56fdMozilla\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u5f00\u6e90Web\u6d4f\u89c8\u5668\u3002\r\n\r\nMozilla Firefox\u5b58\u5728HTTP\u5934\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eSet-Cookie\u54cd\u5e94\u62a5\u5934\u5728\u591a\u90e8\u5206HTTP\u54cd\u5e94\u4e2d\u88ab\u9519\u8bef\u5730\u6267\u884c\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u6d4f\u89c8\u5668\u6240\u8ba4\u53ef\u7684Set-Cookie\u54cd\u5e94\u5934\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Mozilla Firefox HTTP\u5934\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "mozilla Firefox \u003c123",
      "Mozilla Firefox ESR \u003c115.8",
      "Mozilla Thunderbird \u003c115.8"
    ]
  },
  "referenceLink": "https://bugzilla.mozilla.org/show_bug.cgi?id=1864385",
  "serverity": "\u9ad8",
  "submitTime": "2024-03-01",
  "title": "Mozilla Firefox HTTP\u5934\u6ce8\u5165\u6f0f\u6d1e"
}

FKIE_CVE-2024-1551

Vulnerability from fkie_nvd - Published: 2024-02-20 14:15 - Updated: 2025-04-02 20:12

Severity

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security@mozilla.org	https://bugzilla.mozilla.org/show_bug.cgi?id=1864385	Exploit, Issue Tracking
security@mozilla.org	https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html	Third Party Advisory
security@mozilla.org	https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html	Third Party Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2024-05/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2024-06/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2024-07/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.mozilla.org/show_bug.cgi?id=1864385	Exploit, Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.mozilla.org/security/advisories/mfsa2024-05/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.mozilla.org/security/advisories/mfsa2024-06/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.mozilla.org/security/advisories/mfsa2024-07/	Vendor Advisory

Impacted products

Vendor	Product	Version
mozilla	firefox	*
mozilla	firefox	*
mozilla	thunderbird	*
debian	debian_linux	10.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*",
              "matchCriteriaId": "355C0EEB-8EF2-4464-BDD4-7616AA6A65FA",
              "versionEndExcluding": "115.8.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "DD7E737F-745F-4A07-B4E3-B51D2DB6C96F",
              "versionEndExcluding": "123.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7380CBFA-8328-4F35-AE4F-46482C77BEF6",
              "versionEndExcluding": "115.8.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie response headers that would have been honored by the browser. This vulnerability affects Firefox \u003c 123, Firefox ESR \u003c 115.8, and Thunderbird \u003c 115.8."
    },
    {
      "lang": "es",
      "value": "Los encabezados de respuesta Set-Cookie se respetaban incorrectamente en las respuestas HTTP de varias partes. Si un atacante pudiera controlar el encabezado de respuesta Content-Type, as\u00ed como controlar parte del cuerpo de la respuesta, podr\u00eda inyectar encabezados de respuesta Set-Cookie que el navegador habr\u00eda respetado. Esta vulnerabilidad afecta a Firefox \u0026lt; 123, Firefox ESR \u0026lt; 115.8 y Thunderbird \u0026lt; 115.8."
    }
  ],
  "id": "CVE-2024-1551",
  "lastModified": "2025-04-02T20:12:09.320",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-02-20T14:15:08.790",
  "references": [
    {
      "source": "security@mozilla.org",
      "tags": [
        "Exploit",
        "Issue Tracking"
      ],
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1864385"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-05/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-06/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-07/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking"
      ],
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1864385"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-05/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-06/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-07/"
    }
  ],
  "sourceIdentifier": "security@mozilla.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-565"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

GHSA-CQ85-4F5H-QQC4

Vulnerability from github – Published: 2024-02-20 15:31 – Updated: 2024-11-20 00:32

Details

Severity

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-1551"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-565"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-20T14:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie response headers that would have been honored by the browser. This vulnerability affects Firefox \u003c 123 and Firefox ESR \u003c 115.8.",
  "id": "GHSA-cq85-4f5h-qqc4",
  "modified": "2024-11-20T00:32:08Z",
  "published": "2024-02-20T15:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1551"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1864385"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-05"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-06"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-1551 (GCVE-0-2024-1551)

Solution

Solution

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Tags

Sightings

Nomenclature