CVE-2024-3302Allocation of Resources Without Limits or Throttling in Mozilla Firefox

CWE-770Allocation of Resources Without Limits or ThrottlingCWE-400Uncontrolled Resource Consumption14 documents8 sources
Severity
3.7LOWNVD
EPSS
0.1%
top 73.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird
Timeline
PublishedApr 16
Latest updateMay 2

Description

There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 2.2 | Impact: 1.4

Affected Packages6 packages

CVEListV5mozilla/firefoxunspecified125
NVDmozilla/firefox< 115.10+1
CVEListV5mozilla/firefox_esrunspecified115.10
CVEListV5mozilla/thunderbirdunspecified115.10
Debianmozilla/thunderbird< 1:115.10.1-1~deb11u1+3

🔴Vulnerability Details

6
OSV
firefox regressions2024-05-02
OSV
thunderbird vulnerabilities2024-04-25
OSV
firefox vulnerabilities2024-04-24
CVEList
CVE-2024-3302: There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed2024-04-16
OSV
CVE-2024-3302: There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed2024-04-16

📋Vendor Advisories

7
Ubuntu
Thunderbird vulnerabilities2024-04-25
Ubuntu
Firefox vulnerabilities2024-04-24
Red Hat
Mozilla: Denial of Service using HTTP/2 CONTINUATION frames2024-04-16
Debian
CVE-2024-3302: firefox - There was no limit to the number of HTTP/2 CONTINUATION frames that would be pro...2024
Mozilla
Mozilla Foundation Security Advisory 2024-19: CVE-2024-3302
CVE-2024-3302 — Mozilla Firefox vulnerability | cvebase