CVE-2024-4769
published 2024-05-14CVE-2024-4769: When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script…
medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | firefox | < firefox 126.0-1 (sid) | firefox 126.0-1 (sid) |
| debian | firefox-esr | < firefox 126.0-1 (sid) | firefox 126.0-1 (sid) |
| debian | thunderbird | < firefox 126.0-1 (sid) | firefox 126.0-1 (sid) |
| mozilla | firefox | < 115.11.0 | 115.11.0 |
| mozilla | firefox | < 126.0 | 126.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 126.0+build2-0ubuntu0.20.04.1 | 126.0+build2-0ubuntu0.20.04.1 |
| mozilla | firefox | >= 0 < 126.0.1+build1-0ubuntu0.20.04.1 | 126.0.1+build1-0ubuntu0.20.04.1 |
| mozilla | firefox | >= unspecified < 126 | 126 |
| mozilla | firefox_esr | >= unspecified < 115.11 | 115.11 |
| mozilla | thunderbird | < 115.11.0 | 115.11.0 |
| mozilla | thunderbird | >= 0 < 1:115.11.0-1~deb11u1 | 1:115.11.0-1~deb11u1 |
| mozilla | thunderbird | >= 0 < 1:115.11.0-1~deb12u1 | 1:115.11.0-1~deb12u1 |
| mozilla | thunderbird | >= 0 < 1:115.11.0-1 | 1:115.11.0-1 |
| mozilla | thunderbird | >= 0 < 1:115.11.0-1 | 1:115.11.0-1 |
| mozilla | thunderbird | >= 0 < 1:115.11.0+build2-0ubuntu0.20.04.1 | 1:115.11.0+build2-0ubuntu0.20.04.1 |
| mozilla | thunderbird | >= 0 < 1:115.11.0+build2-0ubuntu0.22.04.1 | 1:115.11.0+build2-0ubuntu0.22.04.1 |
| mozilla | thunderbird | >= unspecified < 115.11 | 115.11 |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
osv8.8HIGH
Ubuntu
Firefox regressions
vendor_ubuntu·2024-05-29·CVSS 8.8
[HIGH] Firefox regressions
Title: Firefox regressions
Summary: USN-6779-1 caused some minor regressions in Firefox.
USN-6779-1 fixed vulnerabilities in Firefox. The update introduced
several minor regressions. This update fixes the problem.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-4767,
CVE-2024-4768, CVE-2024-4769, CVE-2024-4771, CVE-2024-4772, CVE-2024-4773,
CVE-2024-4774, CVE-2024-4775, CVE-2024-4776, CVE-2024-4777, CVE-2024-4778)
Jan-Ivar Bruaroey discovered that Firefox did not properly manage memory
when audio input connected with multiple consumers.
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2024-05-22·CVSS 8.8
CVE-2024-4767 [HIGH] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code. (CVE-2024-4767, CVE-2024-4768,
CVE-2024-4769, CVE-2024-4777)
Thomas Rinsma discovered that Thunderbird did not properly handle type check
when handling fonts in PDF.js. An attacker could potentially exploit this
issue to execute arbitrary javascript code in PDF.js. (CVE-2024-4367)
Irvan Kurniawan discovered that Thunderbird did not properly handle certain
font styles when s
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2024-05-21·CVSS 8.8
CVE-2024-4768 [HIGH] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Several security issues were fixed in Firefox.
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-4767,
CVE-2024-4768, CVE-2024-4769, CVE-2024-4771, CVE-2024-4772, CVE-2024-4773,
CVE-2024-4774, CVE-2024-4775, CVE-2024-4776, CVE-2024-4777, CVE-2024-4778)
Jan-Ivar Bruaroey discovered that Firefox did not properly manage memory
when audio input connected with multiple consumers. An attacker could
potentially exploit this issue to cause a denial of service, or execute
arbitrary code. (CVE-2024-4764)
Thomas Rinsma discovered that Fi
Red Hat
Mozilla: Cross-origin responses could be distinguished between script and non-script content-types
vendor_redhat·2024-05-14·CVSS 5.9
CVE-2024-4769 [MEDIUM] CWE-829 Mozilla: Cross-origin responses could be distinguished between script and non-script content-types
Mozilla: Cross-origin responses could be distinguished between script and non-script content-types
When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as follows: When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. This could have been abused to learn information cross-origin.
Statement: Red Hat Product Security rates the severity of
Debian
CVE-2024-4769: firefox - When importing resources using Web Workers, error messages would distinguish the...
vendor_debian·2024·CVSS 5.9
CVE-2024-4769 [MEDIUM] CVE-2024-4769: firefox - When importing resources using Web Workers, error messages would distinguish the...
When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
Scope: local
sid: resolved (fixed in 126.0-1)
Mozilla
Mozilla Foundation Security Advisory 2024-23: CVE-2024-4769
vendor_mozilla·CVSS 5.9
CVE-2024-4769 [MEDIUM] Mozilla Foundation Security Advisory 2024-23: CVE-2024-4769
Mozilla Foundation Security Advisory 2024-23
CVE: CVE-2024-4769
Product: Thunderbird
Impact: moderate
Fixed in: Thunderbird 115.11
Mozilla
Mozilla Foundation Security Advisory 2024-21: CVE-2024-4769
vendor_mozilla·CVSS 5.9
CVE-2024-4769 [MEDIUM] Mozilla Foundation Security Advisory 2024-21: CVE-2024-4769
Mozilla Foundation Security Advisory 2024-21
CVE: CVE-2024-4769
Product: Firefox
Impact: moderate
Fixed in: Firefox 126
Mozilla
Mozilla Foundation Security Advisory 2024-22: CVE-2024-4769
vendor_mozilla·CVSS 5.9
CVE-2024-4769 [MEDIUM] Mozilla Foundation Security Advisory 2024-22: CVE-2024-4769
Mozilla Foundation Security Advisory 2024-22
CVE: CVE-2024-4769
Product: Firefox ESR
Impact: moderate
Fixed in: Firefox ESR 115.11
OSV
firefox regressions
osv·2024-05-29·CVSS 8.8
CVE-2024-4767 [HIGH] firefox regressions
firefox regressions
USN-6779-1 fixed vulnerabilities in Firefox. The update introduced
several minor regressions. This update fixes the problem.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-4767,
CVE-2024-4768, CVE-2024-4769, CVE-2024-4771, CVE-2024-4772, CVE-2024-4773,
CVE-2024-4774, CVE-2024-4775, CVE-2024-4776, CVE-2024-4777, CVE-2024-4778)
Jan-Ivar Bruaroey discovered that Firefox did not properly manage memory
when audio input connected with multiple consumers. An attacker could
potentially exploit this issue to cause a denial of
OSV
thunderbird vulnerabilities
osv·2024-05-22·CVSS 8.8
CVE-2024-4767 [HIGH] thunderbird vulnerabilities
thunderbird vulnerabilities
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code. (CVE-2024-4767, CVE-2024-4768,
CVE-2024-4769, CVE-2024-4777)
Thomas Rinsma discovered that Thunderbird did not properly handle type check
when handling fonts in PDF.js. An attacker could potentially exploit this
issue to execute arbitrary javascript code in PDF.js. (CVE-2024-4367)
Irvan Kurniawan discovered that Thunderbird did not properly handle certain
font styles when saving a page to PDF. An attacker could potentially
exploit this issu
OSV
firefox vulnerabilities
osv·2024-05-21·CVSS 8.8
CVE-2024-4767 [HIGH] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-4767,
CVE-2024-4768, CVE-2024-4769, CVE-2024-4771, CVE-2024-4772, CVE-2024-4773,
CVE-2024-4774, CVE-2024-4775, CVE-2024-4776, CVE-2024-4777, CVE-2024-4778)
Jan-Ivar Bruaroey discovered that Firefox did not properly manage memory
when audio input connected with multiple consumers. An attacker could
potentially exploit this issue to cause a denial of service, or execute
arbitrary code. (CVE-2024-4764)
Thomas Rinsma discovered that Firefox did not properly handle type check
when handling fonts in
GHSA
GHSA-vgc7-vqc6-2858: When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script
ghsa_unreviewed·2024-05-14
CVE-2024-4769 [MEDIUM] CWE-351 GHSA-vgc7-vqc6-2858: When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script
When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
OSV
CVE-2024-4769: When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script
osv·2024-05-14·CVSS 5.9
CVE-2024-4769 [MEDIUM] CVE-2024-4769: When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script
When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugzilla.mozilla.org/show_bug.cgi?id=1886108https://lists.debian.org/debian-lts-announce/2024/05/msg00010.htmlhttps://lists.debian.org/debian-lts-announce/2024/05/msg00012.htmlhttps://www.mozilla.org/security/advisories/mfsa2024-21/https://www.mozilla.org/security/advisories/mfsa2024-22/https://www.mozilla.org/security/advisories/mfsa2024-23/https://bugzilla.mozilla.org/show_bug.cgi?id=1886108https://lists.debian.org/debian-lts-announce/2024/05/msg00010.htmlhttps://lists.debian.org/debian-lts-announce/2024/05/msg00012.htmlhttps://www.mozilla.org/security/advisories/mfsa2024-21/https://www.mozilla.org/security/advisories/mfsa2024-22/https://www.mozilla.org/security/advisories/mfsa2024-23/
2024-05-14
Published