CVE-2024-4765

Web application manifests were stored by using an insecure MD5 hash which allowed for a hash collision to overwrite another application's manifest. This could have been exploited to run arbitrary code in another application's context. *This issue only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 126.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1871109	Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2024-21/	Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1871109	Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2024-21/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-05-14 18:15

Updated : 2025-04-04 14:27

NVD link : CVE-2024-4765

Mitre link : CVE-2024-4765

CVE.ORG link : CVE-2024-4765

JSON object : View

Products Affected

mozilla

firefox

CWE

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

{"id": "CVE-2024-4765", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2024-05-14T18:15:13.133", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1871109", "tags": ["Issue Tracking"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-21/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1871109", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-21/", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-327"}]}], "descriptions": [{"lang": "en", "value": "Web application manifests were stored by using an insecure MD5 hash which allowed for a hash collision to overwrite another application's manifest. This could have been exploited to run arbitrary code in another application's context. \n*This issue only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 126."}, {"lang": "es", "value": "Los manifiestos de las aplicaciones web se almacenaban mediante un hash MD5 inseguro que permit\u00eda que una colisi\u00f3n de hash sobrescribiera el manifiesto de otra aplicaci\u00f3n. Esto podr\u00eda haberse aprovechado para ejecutar c\u00f3digo arbitrario en el contexto de otra aplicaci\u00f3n. *Este problema s\u00f3lo afecta a Firefox para Android. Otras versiones de Firefox no se ven afectadas.* Esta vulnerabilidad afecta a Firefox < 126."}], "lastModified": "2025-04-04T14:27:03.673", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "706B671C-BEF5-488D-BCEF-3A5342A4DD1C", "versionEndExcluding": "126.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@mozilla.org"}