CVE-2024-11696
Dec. 2, 2024, 6:15 p.m.
5.4
Medium
Description
The application failed to account for exceptions thrown by the `loadManifestFromFile` method during add-on signature verification. This flaw, triggered by an invalid or unsupported extension manifest, could have caused runtime errors that disrupted the signature validation process. As a result, the enforcement of signature validation for unrelated add-ons may have been bypassed. Signature validation in this context is used to ensure that third-party applications on the user's computer have not tampered with the user's extensions, limiting the impact of this issue. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
Product(s) Impacted
| Product | Versions |
|---|---|
| Firefox |
|
| Thunderbird |
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
CWE-347
Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Tags
CVSS Score
CVSS Data - 3.1
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: NONE
- Scope: UNCHANGED
- Confidentiality Impact: LOW
- Integrity Impact: LOW
- Availability Impact: NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Timeline
Published: Nov. 26, 2024, 2:15 p.m.
Last Modified: Dec. 2, 2024, 6:15 p.m.
Last Modified: Dec. 2, 2024, 6:15 p.m.
Status : Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
security@mozilla.org
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.