CVE-2024-9680
Publication date 10 October 2024
Last updated 18 October 2024
Ubuntu priority
Cvss 3 Severity Score
An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.
Read the notes from the security team
Why is this CVE high priority?
Listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog for Firefox
Status
Package | Ubuntu Release | Status |
---|---|---|
firefox | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Fixed 131.0.2+build1-0ubuntu0.20.04.1
|
|
mozjs102 | 24.10 oracular | Not in release |
24.04 LTS noble | Ignored | |
22.04 LTS jammy | Ignored | |
20.04 LTS focal | Not in release | |
mozjs115 | 24.10 oracular | Ignored |
24.04 LTS noble | Ignored | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
mozjs38 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Ignored | |
mozjs52 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Ignored | |
18.04 LTS bionic | Ignored | |
mozjs68 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Ignored | |
mozjs78 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Ignored | |
20.04 LTS focal | Not in release | |
mozjs91 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Ignored | |
20.04 LTS focal | Not in release | |
thunderbird | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Fixed 1:115.16.0+build2-0ubuntu0.22.04.1
|
|
20.04 LTS focal |
Fixed 1:115.16.0+build2-0ubuntu0.20.04.1
|
Notes
mdeslaur
mozjs* contain a copy of the SpiderMonkey JavaScript engine. It is not feasible to backport security fixes to the mozjs* packages, as such, marking them as ignored. starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap starting with Ubuntu 24.04, the thunderbird package is just a script that installs the Thunderbird snap
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 · Critical |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-7065-1
- Firefox vulnerability
- 14 October 2024
- USN-7066-1
- Thunderbird vulnerability
- 14 October 2024