CVE-2024-1554Insufficient Verification of Data Authenticity in Mozilla Firefox

CWE-345Insufficient Verification of Data Authenticity10 documents7 sources
Severity
9.8CRITICALNVD
OSV7.5
EPSS
0.2%
top 54.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Firefox
Timeline
PublishedFeb 20
Latest updateMar 6

Description

The `fetch()` API and navigation incorrectly shared the same cache, as the cache key did not include the optional headers `fetch()` may contain. Under the correct circumstances, an attacker may have been able to poison the local browser cache by priming it with a `fetch()` response controlled by the additional headers. Upon navigation to the same URL, the user would see the cached response instead of the expected response. This vulnerability affects Firefox < 123.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

CVEListV5mozilla/firefoxunspecified123
NVDmozilla/firefox< 123.0
Ubuntumozilla/firefox< 123.0+build3-0ubuntu0.20.04.1+1

🔴Vulnerability Details

5
OSV
firefox regressions2024-03-06
OSV
firefox vulnerabilities2024-02-22
GHSA
GHSA-gqrh-wgmr-mm7v: The `fetch()` API and navigation incorrectly shared the same cache, as the cache key did not include the optional headers `fetch()` may contain2024-02-20
OSV
CVE-2024-1554: The `fetch()` API and navigation incorrectly shared the same cache, as the cache key did not include the optional headers `fetch()` may contain2024-02-20
CVEList
CVE-2024-1554: The `fetch()` API and navigation incorrectly shared the same cache, as the cache key did not include the optional headers `fetch()` may contain2024-02-20

📋Vendor Advisories

4
Ubuntu
Firefox regressions2024-03-06
Ubuntu
Firefox vulnerabilities2024-02-22
Debian
CVE-2024-1554: firefox - The `fetch()` API and navigation incorrectly shared the same cache, as the cache...2024
Mozilla
Mozilla Foundation Security Advisory 2024-05: CVE-2024-1554
CVE-2024-1554 — Mozilla Firefox vulnerability | cvebase