CVE-2024-9393

一、漏洞信息
 漏洞编号：[CVE-2024-9393](https://nvd.nist.gov/vuln/detail/CVE-2024-9393)
 漏洞归属组件：[firefox](https://gitee.com/src-openeuler/firefox)
 漏洞归属的版本：100.0.2,102.14.0,102.15.0,102.8.0,115.15.0,128.5.0,128.6.0,128.7.0,128.8.0,62.0.3,79.0
 CVSS V3.0分值：
  BaseScore：7.5 High
  Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
 漏洞简述：
  An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin.  This could allow them to access cross-origin PDF content. This access is limited to  same site  documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.
 漏洞公开时间：2024-10-02 00:15:10
 漏洞创建时间：2024-10-02 00:43:01
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-9393
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| security.mozilla.org | https://bugzilla.mozilla.org/show_bug.cgi?id=1918301 |  |
| security.mozilla.org | https://www.mozilla.org/security/advisories/mfsa2024-46/ |  |
| security.mozilla.org | https://www.mozilla.org/security/advisories/mfsa2024-47/ |  |
| security.mozilla.org | https://www.mozilla.org/security/advisories/mfsa2024-48/ |  |
| security.mozilla.org | https://www.mozilla.org/security/advisories/mfsa2024-49/ |  |
| security.mozilla.org | https://www.mozilla.org/security/advisories/mfsa2024-50/ |  |
| suse_bugzilla | https://smelt.suse.de/incident/35861/ | https://bugzilla.suse.com/show_bug.cgi?id=1230979 |
| suse_bugzilla | https://smelt.suse.de/incident/35862/ | https://bugzilla.suse.com/show_bug.cgi?id=1230979 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:7505 | https://bugzilla.redhat.com/show_bug.cgi?id=2315956 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:7552 | https://bugzilla.redhat.com/show_bug.cgi?id=2315956 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:7621 | https://bugzilla.redhat.com/show_bug.cgi?id=2315956 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:7622 | https://bugzilla.redhat.com/show_bug.cgi?id=2315956 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:7646 | https://bugzilla.redhat.com/show_bug.cgi?id=2315956 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:7703 | https://bugzilla.redhat.com/show_bug.cgi?id=2315956 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:7704 | https://bugzilla.redhat.com/show_bug.cgi?id=2315956 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:7702 | https://bugzilla.redhat.com/show_bug.cgi?id=2315956 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:7699 | https://bugzilla.redhat.com/show_bug.cgi?id=2315956 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:7700 | https://bugzilla.redhat.com/show_bug.cgi?id=2315956 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:7842 | https://bugzilla.redhat.com/show_bug.cgi?id=2315956 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:7855 | https://bugzilla.redhat.com/show_bug.cgi?id=2315956 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:7853 | https://bugzilla.redhat.com/show_bug.cgi?id=2315956 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:7856 | https://bugzilla.redhat.com/show_bug.cgi?id=2315956 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:7854 | https://bugzilla.redhat.com/show_bug.cgi?id=2315956 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:8169 | https://bugzilla.redhat.com/show_bug.cgi?id=2315956 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:8166 | https://bugzilla.redhat.com/show_bug.cgi?id=2315956 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-9393 |
| firefox | https://bugzilla.mozilla.org/show_bug.cgi?id=1918301 | https://www.mozilla.org/en-US/security/advisories/mfsa2024-50/ |
| anolis |  | https://anas.openanolis.cn/cves/detail/CVE-2024-9393 |
| amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2024-9393 | https://explore.alas.aws.amazon.com/CVE-2024-9393.html |
| amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9393 | https://explore.alas.aws.amazon.com/CVE-2024-9393.html |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
|  |  | https://bugzilla.mozilla.org/show_bug.cgi?id=1918301 |  | nvd |
|  |  | https://www.mozilla.org/security/advisories/mfsa2024-46/ |  | nvd |
|  |  | https://www.mozilla.org/security/advisories/mfsa2024-47/ |  | nvd |
|  |  | https://www.mozilla.org/security/advisories/mfsa2024-48/ |  | nvd |
|  |  | https://www.mozilla.org/security/advisories/mfsa2024-49/ |  | nvd |
|  |  | https://www.mozilla.org/security/advisories/mfsa2024-50/ |  | nvd |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
            该漏洞需要升级至128.3.0esr版本解决，已升级24.03分支，当前维护分支22.03、20.03依赖不满足（rust>=1.76）无法升级修复     
 openEuler评分：
  7.5
 Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
 受影响版本排查(受影响/不受影响)：
  1.openEuler-20.03-LTS-SP4(79.0):受影响
2.openEuler-22.03-LTS-SP3(128.9.0):受影响
3.openEuler-22.03-LTS-SP4(128.9.0):受影响
4.openEuler-24.03-LTS(128.9.0):受影响
5.master(128.9.0):不受影响
6.openEuler-24.03-LTS-Next(128.9.0):不受影响
7.openEuler-24.03-LTS-SP1(128.9.0):不受影响
8.openEuler-24.03-LTS-SP2(128.9.0):

修复是否涉及abi变化(是/否)：
  1.master(128.9.0):否
2.openEuler-20.03-LTS-SP4(79.0):否
3.openEuler-22.03-LTS-SP3(128.9.0):否
4.openEuler-22.03-LTS-SP4(128.9.0):否
5.openEuler-24.03-LTS(128.9.0):否
6.openEuler-24.03-LTS-Next(128.9.0):否
7.openEuler-24.03-LTS-SP1(128.9.0):否
8.openEuler-24.03-LTS-SP2(128.9.0):

原因说明：
  1.openEuler-22.03-LTS-SP3(128.9.0):正常修复
2.openEuler-22.03-LTS-SP4(128.9.0):正常修复
3.openEuler-24.03-LTS(128.9.0):正常修复
4.openEuler-20.03-LTS-SP4(79.0):暂不修复-待升级版本修复
5.master(128.9.0):不受影响-漏洞代码不存在
6.openEuler-24.03-LTS-Next(128.9.0):不受影响-漏洞代码不存在
7.openEuler-24.03-LTS-SP1(128.9.0):不受影响-漏洞代码不存在
8.openEuler-24.03-LTS-SP2(128.9.0):

src-openEuler/firefox

內容風險標識

評論 (13)

src-openEuler/firefox .gitee-modal { width: 500px !important; }

內容風險標識

CVE-2024-9393

評論 (13)

搜索幫助

src-openEuler/firefox