Risk | High |
Patch available | YES |
Number of vulnerabilities | 8 |
CVE-ID | CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864 |
CWE-ID | CWE-450 CWE-400 CWE-1037 CWE-190 CWE-416 CWE-119 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Debian Linux Operating systems & Components / Operating system firefox-esr (Debian package) Operating systems & Components / Operating system package or component |
Vendor | Debian |
Security Bulletin
This security bulletin contains information about 8 vulnerabilities.
EUVDB-ID: #VU87640
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-2609
CWE-ID:
CWE-450 - Multiple Interpretations of UI Input
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform clickjacking attack.
The vulnerability exists due to the permission prompt input delay can expire while the window is not in focus. A remote attacker can trick the victim to visit a specially crafted website and perform a clickjacking attack.
MitigationUpdate firefox-esr package to one of the following versions: 115.10.0esr-1~deb11u1, 115.10.0esr-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
firefox-esr (Debian package): before 115.10.0esr-1~deb12u1
CPE2.3 External linkshttp://lists.debian.org/debian-security-announce/2024/msg00072.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU88652
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-3302
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 CONTINUATION frames. A remote attacker can trick the victim to visit a specially crated website and perform a denial of service (DoS) attack.
MitigationUpdate firefox-esr package to one of the following versions: 115.10.0esr-1~deb11u1, 115.10.0esr-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
firefox-esr (Debian package): before 115.10.0esr-1~deb12u1
CPE2.3 External linkshttp://lists.debian.org/debian-security-announce/2024/msg00072.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU88579
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-3852
CWE-ID:
CWE-1037 - Processor optimization removal or modification of security-critical code
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to GetBoundName can return the wrong version of an object when JIT optimizations were applied. A remote attacker can abuse such behavior to execute arbitrary code on the system.
Update firefox-esr package to one of the following versions: 115.10.0esr-1~deb11u1, 115.10.0esr-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
firefox-esr (Debian package): before 115.10.0esr-1~deb12u1
CPE2.3 External linkshttp://lists.debian.org/debian-security-announce/2024/msg00072.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU88580
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-3854
CWE-ID:
CWE-1037 - Processor optimization removal or modification of security-critical code
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to incorrect optimization, when some code patterns in the JIT incorrectly optimized switch statements and generated code with out-of-bounds-reads. A remote attacker can abuse such behavior to execute arbitrary code on the system.
Update firefox-esr package to one of the following versions: 115.10.0esr-1~deb11u1, 115.10.0esr-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
firefox-esr (Debian package): before 115.10.0esr-1~deb12u1
CPE2.3 External linkshttp://lists.debian.org/debian-security-announce/2024/msg00072.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU88581
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-3857
CWE-ID:
CWE-1037 - Processor optimization removal or modification of security-critical code
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to incorrect optimization when JIT created incorrect code for arguments in certain cases. A remote attacker can abuse such behavior to execute arbitrary code on the system.
Update firefox-esr package to one of the following versions: 115.10.0esr-1~deb11u1, 115.10.0esr-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
firefox-esr (Debian package): before 115.10.0esr-1~deb12u1
CPE2.3 External linkshttp://lists.debian.org/debian-security-announce/2024/msg00072.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU88582
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-3859
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to integer overflow when handling OpenType fonts. A remote attacker can trick the victim to visit a specially crafted website and gain access to sensitive information.
Update firefox-esr package to one of the following versions: 115.10.0esr-1~deb11u1, 115.10.0esr-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
firefox-esr (Debian package): before 115.10.0esr-1~deb12u1
CPE2.3 External linkshttp://lists.debian.org/debian-security-announce/2024/msg00072.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU88631
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-3861
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the browser.
The vulnerability exists due to a use-after-free error. If an AlignedBuffer were assigned to itself, the subsequent self-move could result in an incorrect reference count and later use-after-free.
MitigationUpdate firefox-esr package to one of the following versions: 115.10.0esr-1~deb11u1, 115.10.0esr-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
firefox-esr (Debian package): before 115.10.0esr-1~deb12u1
CPE2.3 External linkshttp://lists.debian.org/debian-security-announce/2024/msg00072.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU88653
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-3864
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to open a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate firefox-esr package to one of the following versions: 115.10.0esr-1~deb11u1, 115.10.0esr-1~deb12u1.
Vulnerable software versionsDebian Linux: All versions
firefox-esr (Debian package): before 115.10.0esr-1~deb12u1
CPE2.3 External linkshttp://lists.debian.org/debian-security-announce/2024/msg00072.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.