PT-2024-3493 · Mozilla+10 · Thunderbird+12
Bartek Nowotarski
·
Published
2024-04-04
·
Updated
2025-03-14
·
CVE-2024-3302
CVSS v3.1
3.7
Low
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
Firefox versions prior to 125
Firefox ESR versions prior to 115.10
Thunderbird versions prior to 115.10
Description
The issue is related to the implementation of the HTTP/2 protocol in the affected browsers, where there was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser. This could allow a remote attacker to cause a denial of service.
Recommendations
For Firefox versions prior to 125, update to version 125 or later to resolve the issue.
For Firefox ESR versions prior to 115.10, update to version 115.10 or later to resolve the issue.
For Thunderbird versions prior to 115.10, update to version 115.10 or later to resolve the issue.
As a temporary workaround, consider restricting access to HTTP/2 CONTINUATION frames until a patch is available.
Exploit
Fix
Resource Exhaustion
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Firefox
Firefox Esr
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Thunderbird
Ubuntu