Security Bulletin
Summary
Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management have been delivered in a HotFix for 2.3 FP9
Vulnerability Details
CVEID: CVE-2024-6600
DESCRIPTION: Mozilla Firefox could allow a remote attacker to gain unauthorized access to the system, caused by a memory corruption in WebGL API. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to trigger an out-of-bounds access.
CWE: CWE-770: Allocation of Resources Without Limits or Throttling
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2024-6601
DESCRIPTION: Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by a race condition in permission assignment. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability leading to a cross-origin container obtaining permissions of the top-level origin.
CWE: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-6602
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory corruption in NSS. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-94: Improper Control of Generation of Code ('Code Injection')
CVSS Source: IBM X-Force
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-6603
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption in thread creation. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-823: Use of Out-of-range Pointer Offset
CVSS Source: IBM X-Force
CVSS Base score: 7.4
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2024-6604
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-7519
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by insufficient checks when processing graphics shared memory leading to memory corruption. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-787: Out-of-bounds Write
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-7521
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by incomplete WebAssembly exception handing leading to a use-after-free error. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-755: Improper Handling of Exceptional Conditions
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-7522
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds read in editor component. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-125: Out-of-bounds Read
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-7524
DESCRIPTION: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error on a site protected by Content Security Policy in "strict-dynamic" mode. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection.
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2024-7525
DESCRIPTION: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by missing permission check when creating a StreamFilter. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.
CWE: CWE-276: Incorrect Default Permissions
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2024-7526
DESCRIPTION: Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by reading from uninitialized memory. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to leak sensitive data from memory.
CWE: CWE-908: Use of Uninitialized Resource
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-7527
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in JavaScript garbage collection. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-416: Use After Free
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-7529
DESCRIPTION: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the obscuring of security prompts by document content. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to trick a user into granting permissions.
CWE: CWE-451: User Interface (UI) Misrepresentation of Critical Information
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2024-7531
DESCRIPTION: Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an error related to calling PK11_Encrypt() in NSS using CKM_CHACHA20 and the same buffer for input and output By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to reveal plaintext on Intel Sandy Bridge machines.
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-7652
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion in Async Generators in Javascript Engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: CISA ADP
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-8381
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion when looking up a property name on an object being used as the with environment. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CVSS Source: CISA ADP
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-8382
DESCRIPTION: Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the exposure of internal event interfaces to Web content when browser EventHandler listener callbacks ran. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to obtain sensitive information.
CWE: CWE-273: Improper Check for Dropped Privileges
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-8383
DESCRIPTION: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the failure to ask before openings news: links in an external application. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.
CWE: CWE-1188: Initialization of a Resource with an Insecure Default
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2024-8384
DESCRIPTION: Mozilla Firefox could allow a remote attacker to bypass security restrictions. The JavaScript garbage collector could mis-color cross-compartment objects if OOM conditions were detected at the right point between two passes. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.
CWE: CWE-787: Out-of-bounds Write
CVSS Source: CISA ADP
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-8385
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a WASM type confusion involving ArrayTypes. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CVSS Source: CISA ADP
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-8386
DESCRIPTION: Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by Select elements appearing on top of another site when popups are allowed. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to conduct a spoofing attack.
CWE: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2024-8387
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-787: Out-of-bounds Write
CVSS Source: CISA ADP
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-9392
DESCRIPTION: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error in a compromised content process. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass site isolation and load cross-origin pages.
CWE: CWE-346: Origin Validation Error
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2024-9393
DESCRIPTION: Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an error when using multipart responses. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to access cross-origin PDF content.
CWE: CWE-346: Origin Validation Error
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-9394
DESCRIPTION: Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an error when using multipart responses. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to access cross-origin JSON content.
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-9396
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-9397
DESCRIPTION: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by a missing delay in directory upload UI. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions and trick a user into granting permission.
CWE: CWE-1021: Improper Restriction of Rendered UI Layers or Frames
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2024-9398
DESCRIPTION: Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an error when using popups. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to enumerate external protocol handlers.
CWE: CWE-203: Observable Discrepancy
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-9399
DESCRIPTION: Mozilla Firefox is vulnerable to a denial of service, caused by an error in a website configured to initiate a specially crafted WebTransport session. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CWE: CWE-404: Improper Resource Shutdown or Release
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-9400
DESCRIPTION: Mozilla Firefox is vulnerable to a denial of service, caused by a memory corruption during JIT compilation. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to trigger an OOM at a specific moment and cause the browser to crash.
CWE: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-9401
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-9402
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-9680
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in Animation timeline. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-416: Use After Free
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2023-26119
DESCRIPTION: HtmlUnit could allow a remote attacker to execute arbitrary code on the system, caused by an XSTL code injection flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CWE: CWE-94: Improper Control of Generation of Code ('Code Injection')
CVSS Source: IBM X-Force
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2023-2798
DESCRIPTION: HtmlUnit is vulnerable to a denial of service, caused by a stack-based buffer overflow. By using a specially crafted content, a remote attacker could exploit this vulnerability to cause the application to crash.
CWE: CWE-400: Uncontrolled Resource Consumption
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
DESCRIPTION: Mozilla Firefox could allow a remote attacker to gain unauthorized access to the system, caused by a memory corruption in WebGL API. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to trigger an out-of-bounds access.
CWE: CWE-770: Allocation of Resources Without Limits or Throttling
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2024-6601
DESCRIPTION: Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by a race condition in permission assignment. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability leading to a cross-origin container obtaining permissions of the top-level origin.
CWE: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-6602
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory corruption in NSS. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-94: Improper Control of Generation of Code ('Code Injection')
CVSS Source: IBM X-Force
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-6603
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption in thread creation. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-823: Use of Out-of-range Pointer Offset
CVSS Source: IBM X-Force
CVSS Base score: 7.4
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2024-6604
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-7519
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by insufficient checks when processing graphics shared memory leading to memory corruption. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-787: Out-of-bounds Write
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-7521
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by incomplete WebAssembly exception handing leading to a use-after-free error. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-755: Improper Handling of Exceptional Conditions
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-7522
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds read in editor component. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-125: Out-of-bounds Read
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-7524
DESCRIPTION: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error on a site protected by Content Security Policy in "strict-dynamic" mode. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection.
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2024-7525
DESCRIPTION: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by missing permission check when creating a StreamFilter. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.
CWE: CWE-276: Incorrect Default Permissions
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2024-7526
DESCRIPTION: Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by reading from uninitialized memory. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to leak sensitive data from memory.
CWE: CWE-908: Use of Uninitialized Resource
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-7527
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in JavaScript garbage collection. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-416: Use After Free
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-7529
DESCRIPTION: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the obscuring of security prompts by document content. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to trick a user into granting permissions.
CWE: CWE-451: User Interface (UI) Misrepresentation of Critical Information
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2024-7531
DESCRIPTION: Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an error related to calling PK11_Encrypt() in NSS using CKM_CHACHA20 and the same buffer for input and output By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to reveal plaintext on Intel Sandy Bridge machines.
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-7652
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion in Async Generators in Javascript Engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-476: NULL Pointer Dereference
CVSS Source: CISA ADP
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-8381
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion when looking up a property name on an object being used as the with environment. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CVSS Source: CISA ADP
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-8382
DESCRIPTION: Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the exposure of internal event interfaces to Web content when browser EventHandler listener callbacks ran. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to obtain sensitive information.
CWE: CWE-273: Improper Check for Dropped Privileges
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-8383
DESCRIPTION: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the failure to ask before openings news: links in an external application. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.
CWE: CWE-1188: Initialization of a Resource with an Insecure Default
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2024-8384
DESCRIPTION: Mozilla Firefox could allow a remote attacker to bypass security restrictions. The JavaScript garbage collector could mis-color cross-compartment objects if OOM conditions were detected at the right point between two passes. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.
CWE: CWE-787: Out-of-bounds Write
CVSS Source: CISA ADP
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-8385
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a WASM type confusion involving ArrayTypes. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CVSS Source: CISA ADP
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-8386
DESCRIPTION: Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by Select elements appearing on top of another site when popups are allowed. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to conduct a spoofing attack.
CWE: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2024-8387
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-787: Out-of-bounds Write
CVSS Source: CISA ADP
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-9392
DESCRIPTION: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error in a compromised content process. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass site isolation and load cross-origin pages.
CWE: CWE-346: Origin Validation Error
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2024-9393
DESCRIPTION: Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an error when using multipart responses. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to access cross-origin PDF content.
CWE: CWE-346: Origin Validation Error
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-9394
DESCRIPTION: Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an error when using multipart responses. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to access cross-origin JSON content.
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-9396
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-9397
DESCRIPTION: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by a missing delay in directory upload UI. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions and trick a user into granting permission.
CWE: CWE-1021: Improper Restriction of Rendered UI Layers or Frames
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2024-9398
DESCRIPTION: Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an error when using popups. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to enumerate external protocol handlers.
CWE: CWE-203: Observable Discrepancy
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2024-9399
DESCRIPTION: Mozilla Firefox is vulnerable to a denial of service, caused by an error in a website configured to initiate a specially crafted WebTransport session. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CWE: CWE-404: Improper Resource Shutdown or Release
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-9400
DESCRIPTION: Mozilla Firefox is vulnerable to a denial of service, caused by a memory corruption during JIT compilation. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to trigger an OOM at a specific moment and cause the browser to crash.
CWE: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2024-9401
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-9402
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2024-9680
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in Animation timeline. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CWE: CWE-416: Use After Free
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2023-26119
DESCRIPTION: HtmlUnit could allow a remote attacker to execute arbitrary code on the system, caused by an XSTL code injection flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CWE: CWE-94: Improper Control of Generation of Code ('Code Injection')
CVSS Source: IBM X-Force
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2023-2798
DESCRIPTION: HtmlUnit is vulnerable to a denial of service, caused by a stack-based buffer overflow. By using a specially crafted content, a remote attacker could exploit this vulnerability to cause the application to crash.
CWE: CWE-400: Uncontrolled Resource Consumption
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
| IBM CP4MCM | 2.3 to 2.3 FP9 |
Remediation/Fixes
Steps to apply the hotfix:
1. Pull the debug image by running the below command.
docker pull docker://icr.io/cp/cp4mcm/synthetic-playback-selenium:developer-fix-1629-hotfix-1629
2. On CP4MCM, identify the Monitoring Cluster Service Version (CSV) using the below command. The CSV name will be used in the next steps.
oc get csv -n management-monitoring | grep ibm-management-monitoring | awk '{print $1}'
3. Take a backup of the CSV file.
oc get csv -n management-monitoring <CSV-name> -o yaml >/tmp/csv-backup
4. Update image on setup by executing the below command to edit the Monitoring Cluster Service Version (CSV) file.
oc edit csv -n management-monitoring <CSV-name>
5. Find and update the following entry.
olm.relatedImage.synthetic-playback-selenium: "icr.io/cp/cp4mcm/synthetic-playback-selenium:developer-fix-1629-hotfix-1629"
6. Check if the recreated synthetic-playback-selenium pod is up.
oc get pods -n management-monitoring | grep selenium
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Off
Acknowledgement
Change History
30 Jan 2025: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
Document Location
Worldwide
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSFC4F","label":"IBM Cloud Pak for Multicloud Management"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"2.3 Fix Pack 9","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]
Was this topic helpful?
Document Information
Modified date:
14 April 2025
UID
ibm17182026