High CVE-2024-1669: Out of bounds memory access in Blink
High CVE-2024-1670: Use after free in Mojo
Medium CVE-2024-1671: Inappropriate implementation in Site Isolation
Medium CVE-2024-1672: Inappropriate implementation in Content Security Policy
Medium CVE-2024-1673: Use after free in Accessibility
Medium CVE-2024-1674: Inappropriate implementation in Navigation
Medium CVE-2024-1675: Insufficient policy enforcement in Download
Low CVE-2024-1676: Inappropriate implementation in Navigation
Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution.
Mozilla Firefox is a web browser used to access the Internet.
Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.
Mozilla Thunderbird is an email client.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the Rose X.25 protocol
implementation in the Linux kernel, leading to a use-after- free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51782)
It was discovered that the netfilter connection tracker for netlink in the
Linux kernel did not properly perform reference counting in some error
conditions. A local attacker could possibly use this to cause a denial of
service (memory exhaustion). (CVE-2023-7192)
USN-6584-1 fixed several vulnerabilities in Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. This update provides the corresponding updates for
CVE-2021-33912 and CVE-2021-33913 in Ubuntu 16.04 LTS.
We apologize for the inconvenience.
Original advisory details:
Philipp Jeitner and Haya Shulman discovered that Libspf2 incorrectly handled
certain inputs. If a user or an automated system were tricked into opening a
specially crafted input file, a remote attacker could possibly use this issue
to cause a denial of service or execute arbitrary code. (CVE-2021-20314)
It was discovered that Libspf2 incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file, a
remote attacker could possibly use this issue to cause a denial of service or
execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2021-33912, CVE-2021-33913)
Details of this CVE (CVE-2023-46045) are now published, but the CPEs are
incomplete. For those who track such things, the affected range is
[2.36.0, 10.0.1).
