Vulnerability-Lookup

alsa-2024:5322

Vulnerability from osv_almalinux

Published

2024-08-15 00:00

Modified

2024-08-21 12:15

Summary

Important: firefox security update

Details

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

Firefox: 115.14/128.1 ESR ()
mozilla: Fullscreen notification dialog can be obscured by document content (CVE-2024-7518)
mozilla: Out of bounds memory access in graphics shared memory handling (CVE-2024-7519)
mozilla: Type confusion in WebAssembly (CVE-2024-7520)
mozilla: Incomplete WebAssembly exception handing (CVE-2024-7521)
mozilla: Out of bounds read in editor component (CVE-2024-7522)
mozilla: CSP strict-dynamic bypass using web-compatibility shims (CVE-2024-7524)
mozilla: Missing permission check when creating a StreamFilter (CVE-2024-7525)
mozilla: Uninitialized memory used by WebGL (CVE-2024-7526)
mozilla: Use-after-free in JavaScript garbage collection (CVE-2024-7527)
mozilla: Use-after-free in IndexedDB (CVE-2024-7528)
mozilla: Document content could partially obscure security prompts (CVE-2024-7529)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2024:5322	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-7518	REPORT
	https://access.redhat.com/security/cve/CVE-2024-7519	REPORT
	https://access.redhat.com/security/cve/CVE-2024-7520	REPORT
	https://access.redhat.com/security/cve/CVE-2024-7521	REPORT
	https://access.redhat.com/security/cve/CVE-2024-7522	REPORT
	https://access.redhat.com/security/cve/CVE-2024-7524	REPORT
	https://access.redhat.com/security/cve/CVE-2024-7525	REPORT
	https://access.redhat.com/security/cve/CVE-2024-7526	REPORT
	https://access.redhat.com/security/cve/CVE-2024-7527	REPORT
	https://access.redhat.com/security/cve/CVE-2024-7528	REPORT
	https://access.redhat.com/security/cve/CVE-2024-7529	REPORT
	https://bugzilla.redhat.com/2303135	REPORT
	https://bugzilla.redhat.com/2303136	REPORT
	https://bugzilla.redhat.com/2303137	REPORT
	https://bugzilla.redhat.com/2303138	REPORT
	https://bugzilla.redhat.com/2303139	REPORT
	https://bugzilla.redhat.com/2303141	REPORT
	https://bugzilla.redhat.com/2303142	REPORT
	https://bugzilla.redhat.com/2303143	REPORT
	https://bugzilla.redhat.com/2303144	REPORT
	https://bugzilla.redhat.com/2303145	REPORT
	https://bugzilla.redhat.com/2303146	REPORT
	https://errata.almalinux.org/9/ALSA-2024-5322.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "firefox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "115.14.0-2.el9_4.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "firefox-x11"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "115.14.0-2.el9_4.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nSecurity Fix(es):\n\n* Firefox: 115.14/128.1 ESR ()\n* mozilla: Fullscreen notification dialog can be obscured by document content (CVE-2024-7518)\n* mozilla: Out of bounds memory access in graphics shared memory handling (CVE-2024-7519)\n* mozilla: Type confusion in WebAssembly (CVE-2024-7520)\n* mozilla: Incomplete WebAssembly exception handing (CVE-2024-7521)\n* mozilla: Out of bounds read in editor component (CVE-2024-7522)\n* mozilla: CSP strict-dynamic bypass using web-compatibility shims (CVE-2024-7524)\n* mozilla: Missing permission check when creating a StreamFilter (CVE-2024-7525)\n* mozilla: Uninitialized memory used by WebGL (CVE-2024-7526)\n* mozilla: Use-after-free in JavaScript garbage collection (CVE-2024-7527)\n* mozilla: Use-after-free in IndexedDB (CVE-2024-7528)\n* mozilla: Document content could partially obscure security prompts (CVE-2024-7529)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2024:5322",
  "modified": "2024-08-21T12:15:26Z",
  "published": "2024-08-15T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2024:5322"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-7518"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-7519"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-7520"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-7521"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-7522"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-7524"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-7525"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-7526"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-7527"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-7528"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-7529"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2303135"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2303136"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2303137"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2303138"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2303139"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2303141"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2303142"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2303143"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2303144"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2303145"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2303146"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2024-5322.html"
    }
  ],
  "related": [
    "CVE-2024-7518",
    "CVE-2024-7519",
    "CVE-2024-7520",
    "CVE-2024-7521",
    "CVE-2024-7522",
    "CVE-2024-7524",
    "CVE-2024-7525",
    "CVE-2024-7526",
    "CVE-2024-7527",
    "CVE-2024-7528",
    "CVE-2024-7529"
  ],
  "summary": "Important: firefox security update"
}

CVE-2024-7529 (GCVE-0-2024-7529)

Vulnerability from cvelistv5 – Published: 2024-08-06 12:38 – Updated: 2024-08-07 20:55

Summary

The date picker could partially obscure security prompts. This could be used by a malicious site to trick a user into granting permissions. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.

Severity

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE

Document content could partially obscure security prompts

Assigner

mozilla

References

6 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=1903187
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

5 products

Vendor	Product	Version
Mozilla	Firefox	Affected: unspecified , < 129 (custom)
Mozilla	Firefox ESR	Affected: unspecified , < 115.14 (custom)
Mozilla	Firefox ESR	Affected: unspecified , < 128.1 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 128.1 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 115.14 (custom)

Credits

Hafiizh

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "firefox",
            "vendor": "mozilla",
            "versions": [
              {
                "lessThan": "129",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "firefox_esr",
            "vendor": "mozilla",
            "versions": [
              {
                "lessThan": "115.14",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "128.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "thunderbird",
            "vendor": "mozilla",
            "versions": [
              {
                "lessThan": "128.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "114.14",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-7529",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-06T13:32:01.203965Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-451",
                "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-07T20:55:22.507Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "129",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "115.14",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "128.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "128.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "115.14",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Hafiizh"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The date picker could partially obscure security prompts. This could be used by a malicious site to trick a user into granting permissions. This vulnerability affects Firefox \u003c 129, Firefox ESR \u003c 115.14, Firefox ESR \u003c 128.1, Thunderbird \u003c 128.1, and Thunderbird \u003c 115.14."
            }
          ],
          "value": "The date picker could partially obscure security prompts. This could be used by a malicious site to trick a user into granting permissions. This vulnerability affects Firefox \u003c 129, Firefox ESR \u003c 115.14, Firefox ESR \u003c 128.1, Thunderbird \u003c 128.1, and Thunderbird \u003c 115.14."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Document content could partially obscure security prompts",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-06T22:21:46.397Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1903187"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-33/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-34/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-35/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-37/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2024-38/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2024-7529",
    "datePublished": "2024-08-06T12:38:15.245Z",
    "dateReserved": "2024-08-05T23:30:20.798Z",
    "dateUpdated": "2024-08-07T20:55:22.507Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

alsa-2024:5322

Vulnerability from osv_almalinux

CVE-2024-7529 (GCVE-0-2024-7529)

Tags

Sightings

Nomenclature