CVE-2024-6609 - Vulnerability Details - OpenCVE

When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mozilla	Firefox Thunderbird

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::

No data.

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1839258
https://www.mozilla.org/security/advisories/mfsa2024-29/
https://www.mozilla.org/security/advisories/mfsa2024-32/

History

Thu, 29 Aug 2024 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox Mozilla thunderbird
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:mozilla:firefox:::::::: cpe:2.3:a:mozilla:thunderbird::::::::
Vendors & Products		Mozilla Mozilla firefox Mozilla thunderbird
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2024-07-09T14:25:59.075Z

Updated: 2024-09-12T15:48:04.264Z

Reserved: 2024-07-09T14:12:57.118Z

Link: CVE-2024-6609

Vulnrichment

Updated: 2024-08-01T21:41:03.946Z

NVD

Status : Modified

Published: 2024-07-09T15:15:12.923

Modified: 2024-11-21T09:49:59.370

Link: CVE-2024-6609

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6609", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2024-07-09T14:12:57.118Z", "datePublished": "2024-07-09T14:25:59.075Z", "dateUpdated": "2024-09-12T15:48:04.264Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "128", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "128", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128."}]}], "problemTypes": [{"descriptions": [{"description": "Memory corruption in NSS", "lang": "en", "type": "text"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1839258"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-29/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-32/"}], "credits": [{"lang": "en", "value": "Irvan Kurniawan"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2024-09-12T15:48:04.264Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:41:03.946Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1839258", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-29/", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-32/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-22T19:02:00.882338Z", "id": "CVE-2024-6609", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T19:02:14.529Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1839258", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-29/", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-32/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:41:03.946Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6609", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-22T19:02:00.882338Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T19:02:05.910Z"}}], "cna": {"credits": [{"lang": "en", "value": "Irvan Kurniawan"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "128", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "128", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1839258"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-29/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-32/"}], "descriptions": [{"lang": "en", "value": "When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128.", "supportingMedia": [{"type": "text/html", "value": "When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Memory corruption in NSS"}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2024-09-12T15:48:04.264Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6609", "state": "PUBLISHED", "dateUpdated": "2024-09-12T15:48:04.264Z", "dateReserved": "2024-07-09T14:12:57.118Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2024-07-09T14:25:59.075Z", "assignerShortName": "mozilla"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "540E6900-1ECF-4138-9ABB-C3CC81FCF47B", "versionEndExcluding": "128.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "F38B1ACE-990E-429F-BFA5-07EE4475D0F6", "versionEndExcluding": "128.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128."}, {"lang": "es", "value": "Cuando casi se hab\u00eda quedado sin memoria, una clave de curva el\u00edptica que nunca se asign\u00f3 podr\u00eda haberse liberado nuevamente. Esta vulnerabilidad afecta a Firefox < 128."}], "id": "CVE-2024-6609", "lastModified": "2024-11-21T09:49:59.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-09T15:15:12.923", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1839258"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2024-29/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2024-32/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1839258"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2024-29/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2024-32/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}