CVE-2024-11699 - Vulnerability Details

CVE-2024-11699 - firefox: thunderbird: Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5

Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Mozilla	Firefox Firefox Esr Thunderbird
Redhat	Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7 Extended Lifecycle Support
firefox-0:128.5.1-1.el7_9	cpe:/o:redhat:rhel_els:7	RHSA-2024:10881	2024-12-09T00:00:00Z
Red Hat Enterprise Linux 8
thunderbird-0:128.5.0-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:10591	2024-12-02T00:00:00Z
firefox-0:128.5.1-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:10752	2024-12-03T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
thunderbird-0:128.5.0-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2024:10704	2024-12-02T00:00:00Z
firefox-0:128.5.1-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2024:10844	2024-12-05T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
thunderbird-0:128.5.0-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2024:10733	2024-12-03T00:00:00Z
firefox-0:128.5.1-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2024:10849	2024-12-05T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
thunderbird-0:128.5.0-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2024:10733	2024-12-03T00:00:00Z
firefox-0:128.5.1-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2024:10849	2024-12-05T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
thunderbird-0:128.5.0-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2024:10733	2024-12-03T00:00:00Z
firefox-0:128.5.1-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2024:10849	2024-12-05T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
thunderbird-0:128.5.0-1.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2024:10734	2024-12-03T00:00:00Z
firefox-0:128.5.1-1.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2024:10880	2024-12-09T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
thunderbird-0:128.5.0-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2024:10734	2024-12-03T00:00:00Z
firefox-0:128.5.1-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2024:10880	2024-12-09T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
thunderbird-0:128.5.0-1.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2024:10734	2024-12-03T00:00:00Z
firefox-0:128.5.1-1.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2024:10880	2024-12-09T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
thunderbird-0:128.5.0-1.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2024:10710	2024-12-02T00:00:00Z
firefox-0:128.5.1-1.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2024:10848	2024-12-05T00:00:00Z
Red Hat Enterprise Linux 9
thunderbird-0:128.5.0-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:10592	2024-12-02T00:00:00Z
firefox-0:128.5.1-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:10702	2024-12-02T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
thunderbird-0:128.5.0-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2024:10703	2024-12-02T00:00:00Z
firefox-0:128.5.1-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2024:10743	2024-12-03T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
thunderbird-0:128.5.0-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:10667	2024-12-02T00:00:00Z
firefox-0:128.5.1-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:10745	2024-12-03T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
firefox-0:128.5.1-1.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2024:10742	2024-12-03T00:00:00Z
thunderbird-0:128.5.0-1.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2024:10748	2024-12-03T00:00:00Z

References

Link	Providers
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1880582%2C1929911
https://nvd.nist.gov/vuln/detail/CVE-2024-11699
https://www.cve.org/CVERecord?id=CVE-2024-11699
https://www.mozilla.org/security/advisories/mfsa2024-63/
https://www.mozilla.org/security/advisories/mfsa2024-64/
https://www.mozilla.org/security/advisories/mfsa2024-67/
https://www.mozilla.org/security/advisories/mfsa2024-68/

History

Thu, 03 Apr 2025 14:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:mozilla:firefox:::::::: cpe:2.3:a:mozilla:firefox:::::esr:::* cpe:2.3:a:mozilla:thunderbird::::::::

Mon, 09 Dec 2024 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Els
CPEs		cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat rhel Els

Wed, 04 Dec 2024 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Tus
CPEs		cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.4 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_eus:9.4 cpe:/a:redhat:rhel_tus:8.4 cpe:/a:redhat:rhel_tus:8.6
Vendors & Products		Redhat rhel Tus

Tue, 03 Dec 2024 02:15:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.4 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_tus:8.4 cpe:/a:redhat:rhel_tus:8.6
Vendors & Products	Redhat rhel Tus

Tue, 03 Dec 2024 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel E4s Redhat rhel Eus Redhat rhel Tus
CPEs		cpe:/a:redhat:rhel_aus:8.2 cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.4 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_eus:8.8 cpe:/a:redhat:rhel_eus:9.2 cpe:/a:redhat:rhel_tus:8.4 cpe:/a:redhat:rhel_tus:8.6
Vendors & Products		Redhat rhel Aus Redhat rhel E4s Redhat rhel Eus Redhat rhel Tus

Mon, 02 Dec 2024 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux

Wed, 27 Nov 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox Mozilla firefox Esr Mozilla thunderbird
Weaknesses		CWE-94
CPEs		cpe:2.3:a:mozilla:firefox:-:::::::* cpe:2.3:a:mozilla:firefox_esr:-:::::::* cpe:2.3:a:mozilla:thunderbird:-:::::::*
Vendors & Products		Mozilla Mozilla firefox Mozilla firefox Esr Mozilla thunderbird
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 27 Nov 2024 13:30:00 +0000

Type	Values Removed	Values Added
Title		firefox: thunderbird: Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5
Weaknesses		CWE-120
References		https://nvd.nist.gov/vuln/detail/CVE-2024-11699 https://www.cve.org/CVERecord?id=CVE-2024-11699
Metrics	threat_severity `None`	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Tue, 26 Nov 2024 13:45:00 +0000

Type	Values Removed	Values Added
Description		Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
References		https://bugzilla.mozilla.org/buglist.cgi?bug_id=1880582%2C1929911 https://www.mozilla.org/security/advisories/mfsa2024-63/ https://www.mozilla.org/security/advisories/mfsa2024-64/ https://www.mozilla.org/security/advisories/mfsa2024-67/ https://www.mozilla.org/security/advisories/mfsa2024-68/

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2024-11-26T13:34:02.646Z

Updated: 2024-11-30T04:55:57.665Z

Reserved: 2024-11-25T16:29:39.506Z

Link: CVE-2024-11699

Vulnrichment

Updated: 2024-11-27T15:05:03.945Z

NVD

Status : Analyzed

Published: 2024-11-26T14:15:19.427

Modified: 2025-04-03T13:31:55.513

Link: CVE-2024-11699

Redhat

Severity : Important

Publid Date: 2024-11-26T13:34:02Z

Links: CVE-2024-11699 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-11699", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2024-11-25T16:29:39.506Z", "datePublished": "2024-11-26T13:34:02.646Z", "dateUpdated": "2024-11-30T04:55:57.665Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "133", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"lessThan": "128.5", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "133", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "128.5", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5."}]}], "problemTypes": [{"descriptions": [{"description": "Memory safety bugs fixed in Firefox 133, Firefox ESR 128.5, and Thunderbird 128.5", "lang": "en", "type": "text"}]}], "references": [{"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1880582%2C1929911", "name": "Memory safety bugs fixed in Firefox 133, Firefox ESR 128.5, and Thunderbird 128.5"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-63/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-64/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-67/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-68/"}], "credits": [{"lang": "en", "value": "Andrew McCreight, Akmat Suleimanov"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2024-11-26T13:34:02.646Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "affected": [{"vendor": "mozilla", "product": "firefox", "cpes": ["cpe:2.3:a:mozilla:firefox:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "133", "versionType": "custom"}]}, {"vendor": "mozilla", "product": "firefox_esr", "cpes": ["cpe:2.3:a:mozilla:firefox_esr:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "128.5", "versionType": "custom"}]}, {"vendor": "mozilla", "product": "thunderbird", "cpes": ["cpe:2.3:a:mozilla:thunderbird:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "133", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "128.5", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-11-29T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-11699"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-30T04:55:57.665Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-11699", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-27T15:00:52.077818Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mozilla:firefox:-:*:*:*:*:*:*:*"], "vendor": "mozilla", "product": "firefox", "versions": [{"status": "affected", "version": "0", "lessThan": "133", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:mozilla:firefox_esr:-:*:*:*:*:*:*:*"], "vendor": "mozilla", "product": "firefox_esr", "versions": [{"status": "affected", "version": "0", "lessThan": "128.5", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:mozilla:thunderbird:-:*:*:*:*:*:*:*"], "vendor": "mozilla", "product": "thunderbird", "versions": [{"status": "affected", "version": "0", "lessThan": "133", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "128.5", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-27T15:05:03.945Z"}}], "cna": {"credits": [{"lang": "en", "value": "Andrew McCreight, Akmat Suleimanov"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "133", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Firefox ESR", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "128.5", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "133", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "128.5", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1880582%2C1929911", "name": "Memory safety bugs fixed in Firefox 133, Firefox ESR 128.5, and Thunderbird 128.5"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-63/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-64/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-67/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-68/"}], "descriptions": [{"lang": "en", "value": "Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.", "supportingMedia": [{"type": "text/html", "value": "Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Memory safety bugs fixed in Firefox 133, Firefox ESR 128.5, and Thunderbird 128.5"}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2024-11-26T13:34:02.646Z"}}}, "cveMetadata": {"cveId": "CVE-2024-11699", "state": "PUBLISHED", "dateUpdated": "2024-11-30T04:55:57.665Z", "dateReserved": "2024-11-25T16:29:39.506Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2024-11-26T13:34:02.646Z", "assignerShortName": "mozilla"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "883C5169-FA69-4478-BE73-4F36AB746D39", "versionEndExcluding": "128.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "F82571FC-4DDE-4C63-BD2B-8CF2FFEA28A8", "versionEndExcluding": "133.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D8EB724-B91E-46E5-97D5-369C1AD92D5A", "versionEndExcluding": "128.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "809C8F59-3AAB-49E8-9F18-6884EC6E4E92", "versionEndExcluding": "133.0", "versionStartIncluding": "129.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5."}, {"lang": "es", "value": "Se han detectado errores de seguridad de memoria en Firefox 132, Firefox ESR 128.4 y Thunderbird 128.4. Algunos de estos errores mostraban evidencia de corrupci\u00f3n de memoria y suponemos que, con el suficiente esfuerzo, algunos de ellos podr\u00edan haberse aprovechado para ejecutar c\u00f3digo arbitrario. Esta vulnerabilidad afecta a Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133 y Thunderbird < 128.5."}], "id": "CVE-2024-11699", "lastModified": "2025-04-03T13:31:55.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-11-26T14:15:19.427", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking"], "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1880582%2C1929911"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2024-63/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2024-64/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2024-67/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2024-68/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:10881", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "firefox-0:128.5.1-1.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2024-12-09T00:00:00Z"}, {"advisory": "RHSA-2024:10591", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:128.5.0-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-02T00:00:00Z"}, {"advisory": "RHSA-2024:10752", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:128.5.1-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-03T00:00:00Z"}, {"advisory": "RHSA-2024:10704", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "thunderbird-0:128.5.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-12-02T00:00:00Z"}, {"advisory": "RHSA-2024:10844", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "firefox-0:128.5.1-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-12-05T00:00:00Z"}, {"advisory": "RHSA-2024:10733", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "thunderbird-0:128.5.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-12-03T00:00:00Z"}, {"advisory": "RHSA-2024:10849", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "firefox-0:128.5.1-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-12-05T00:00:00Z"}, {"advisory": "RHSA-2024:10733", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "thunderbird-0:128.5.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-12-03T00:00:00Z"}, {"advisory": "RHSA-2024:10849", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "firefox-0:128.5.1-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-12-05T00:00:00Z"}, {"advisory": "RHSA-2024:10733", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "thunderbird-0:128.5.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-12-03T00:00:00Z"}, {"advisory": "RHSA-2024:10849", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "firefox-0:128.5.1-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-12-05T00:00:00Z"}, {"advisory": "RHSA-2024:10734", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "thunderbird-0:128.5.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-12-03T00:00:00Z"}, {"advisory": "RHSA-2024:10880", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "firefox-0:128.5.1-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-12-09T00:00:00Z"}, {"advisory": "RHSA-2024:10734", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "thunderbird-0:128.5.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-12-03T00:00:00Z"}, {"advisory": "RHSA-2024:10880", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "firefox-0:128.5.1-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-12-09T00:00:00Z"}, {"advisory": "RHSA-2024:10734", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "thunderbird-0:128.5.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-12-03T00:00:00Z"}, {"advisory": "RHSA-2024:10880", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "firefox-0:128.5.1-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-12-09T00:00:00Z"}, {"advisory": "RHSA-2024:10710", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "thunderbird-0:128.5.0-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-12-02T00:00:00Z"}, {"advisory": "RHSA-2024:10848", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "firefox-0:128.5.1-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-12-05T00:00:00Z"}, {"advisory": "RHSA-2024:10592", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:128.5.0-1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-02T00:00:00Z"}, {"advisory": "RHSA-2024:10702", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:128.5.1-1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-02T00:00:00Z"}, {"advisory": "RHSA-2024:10703", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "thunderbird-0:128.5.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-12-02T00:00:00Z"}, {"advisory": "RHSA-2024:10743", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "firefox-0:128.5.1-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-12-03T00:00:00Z"}, {"advisory": "RHSA-2024:10667", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "thunderbird-0:128.5.0-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-12-02T00:00:00Z"}, {"advisory": "RHSA-2024:10745", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "firefox-0:128.5.1-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-12-03T00:00:00Z"}, {"advisory": "RHSA-2024:10742", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "firefox-0:128.5.1-1.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2024-12-03T00:00:00Z"}, {"advisory": "RHSA-2024:10748", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "thunderbird-0:128.5.0-1.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2024-12-03T00:00:00Z"}], "bugzilla": {"description": "firefox: thunderbird: Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5", "id": "2328947", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328947"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-120", "details": ["Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.", "A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the following issue: Memory safety bugs are present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption, and we presume that with enough effort, some of these could have been exploited to run arbitrary code.\u200b"], "name": "CVE-2024-11699", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "thunderbird-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-11-26T13:34:02Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-11699\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-11699\nhttps://bugzilla.mozilla.org/buglist.cgi?bug_id=1880582%2C1929911\nhttps://www.mozilla.org/security/advisories/mfsa2024-63/\nhttps://www.mozilla.org/security/advisories/mfsa2024-64/\nhttps://www.mozilla.org/security/advisories/mfsa2024-67/\nhttps://www.mozilla.org/security/advisories/mfsa2024-68/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Important"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object