VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-bmgw-yunk-h7cc

Essentials
Severities (92)
References (44)
Severity details (15)
Exploits (1)
EPSS
History (1)

Vulnerability ID	VCID-bmgw-yunk-h7cc
Aliases	CVE-2024-9680
Summary	An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild.
Status	Published
Exploitability	2.0
Weighted Severity	9.0
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-416

Use After Free

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-9680.json
cvssv3	9.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-9680.json
epss	0.00311	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.00311	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.00311	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.00311	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.00311	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.00311	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.00311	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.00311	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.00311	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.00311	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.00319	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.00319	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.00362	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.00362	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.00362	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.00362	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.09147	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.09147	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.09444	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.09444	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.09511	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.09511	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.09511	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.09511	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.09511	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.09511	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.09511	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.09511	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.09511	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.10797	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.10797	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.10797	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.10797	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.10797	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.10797	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.11704	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.3452	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.3452	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.3452	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.3452	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.3452	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.3452	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.3452	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.3452	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.3452	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.3452	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.3452	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.3452	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.3452	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
epss	0.44469	https://api.first.org/data/v1/epss?cve=CVE-2024-9680
cvssv3.1	9.8	https://bugzilla.mozilla.org/show_bug.cgi?id=1923344
ssvc	Act	https://bugzilla.mozilla.org/show_bug.cgi?id=1923344
cvssv3.1	7.8	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	9.8	https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49039
ssvc	Act	https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49039
cvssv3	9.8	https://nvd.nist.gov/vuln/detail/CVE-2024-9680
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2024-9680
generic_textual	critical	https://www.mozilla.org/en-US/security/advisories/mfsa2024-51
generic_textual	critical	https://www.mozilla.org/en-US/security/advisories/mfsa2024-52
cvssv3.1	9.8	https://www.mozilla.org/security/advisories/mfsa2024-51/
ssvc	Act	https://www.mozilla.org/security/advisories/mfsa2024-51/
cvssv3.1	9.8	https://www.mozilla.org/security/advisories/mfsa2024-52/
ssvc	Act	https://www.mozilla.org/security/advisories/mfsa2024-52/

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-9680.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-9680
		https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281992
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9680
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://lists.debian.org/debian-lts-announce/2024/10/msg00005.html
		https://www.mozilla.org/security/advisories/mfsa2024-52/
1084989		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084989
2317442		https://bugzilla.redhat.com/show_bug.cgi?id=2317442
cpe:2.3:a:mozilla:firefox::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox::::::::
cpe:2.3:a:mozilla:firefox:::::-:::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox:::::-:::*
cpe:2.3:a:mozilla:firefox:::::esr:::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox:::::esr:::*
cpe:2.3:a:mozilla:firefox_esr::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox_esr::::::::
cpe:2.3:a:mozilla:thunderbird::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:thunderbird::::::::
cpe:2.3:a:mozilla:thunderbird:131.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:thunderbird:131.0:::::::*
cpe:2.3:o:debian:debian_linux:11.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:::::::*
CVE-2024-49039		https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49039
CVE-2024-9680		https://nvd.nist.gov/vuln/detail/CVE-2024-9680
GLSA-202412-04		https://security.gentoo.org/glsa/202412-04
mfsa2024-51		https://www.mozilla.org/en-US/security/advisories/mfsa2024-51
mfsa2024-51		https://www.mozilla.org/security/advisories/mfsa2024-51/
mfsa2024-52		https://www.mozilla.org/en-US/security/advisories/mfsa2024-52
RHSA-2024:7958		https://access.redhat.com/errata/RHSA-2024:7958
RHSA-2024:7977		https://access.redhat.com/errata/RHSA-2024:7977
RHSA-2024:8024		https://access.redhat.com/errata/RHSA-2024:8024
RHSA-2024:8025		https://access.redhat.com/errata/RHSA-2024:8025
RHSA-2024:8026		https://access.redhat.com/errata/RHSA-2024:8026
RHSA-2024:8027		https://access.redhat.com/errata/RHSA-2024:8027
RHSA-2024:8028		https://access.redhat.com/errata/RHSA-2024:8028
RHSA-2024:8029		https://access.redhat.com/errata/RHSA-2024:8029
RHSA-2024:8030		https://access.redhat.com/errata/RHSA-2024:8030
RHSA-2024:8031		https://access.redhat.com/errata/RHSA-2024:8031
RHSA-2024:8032		https://access.redhat.com/errata/RHSA-2024:8032
RHSA-2024:8033		https://access.redhat.com/errata/RHSA-2024:8033
RHSA-2024:8034		https://access.redhat.com/errata/RHSA-2024:8034
RHSA-2024:8131		https://access.redhat.com/errata/RHSA-2024:8131
RHSA-2024:8166		https://access.redhat.com/errata/RHSA-2024:8166
RHSA-2024:8167		https://access.redhat.com/errata/RHSA-2024:8167
RHSA-2024:8176		https://access.redhat.com/errata/RHSA-2024:8176
RHSA-2024:9552		https://access.redhat.com/errata/RHSA-2024:9552
RHSA-2024:9554		https://access.redhat.com/errata/RHSA-2024:9554
show_bug.cgi?id=1923344		https://bugzilla.mozilla.org/show_bug.cgi?id=1923344
USN-7065-1		https://usn.ubuntu.com/7065-1/
USN-7066-1		https://usn.ubuntu.com/7066-1/

Data source	KEV
Date added	Oct. 15, 2024
Description	Mozilla Firefox and Firefox ESR contain a use-after-free vulnerability in Animation timelines that allows for code execution in the content process.
Required action	Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due date	Nov. 5, 2024
Note	https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/ ; https://nvd.nist.gov/vuln/detail/CVE-2024-9680
Ransomware campaign use	Unknown

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-9680.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-9680.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1923344

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2024-10-16T12:58:45Z/ Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1923344

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49039

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2024-10-16T12:58:45Z/ Found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49039

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-9680

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-9680

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.mozilla.org/security/advisories/mfsa2024-51/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2024-10-16T12:58:45Z/ Found at https://www.mozilla.org/security/advisories/mfsa2024-51/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.mozilla.org/security/advisories/mfsa2024-52/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2024-10-16T12:58:45Z/ Found at https://www.mozilla.org/security/advisories/mfsa2024-52/

Exploit Prediction Scoring System (EPSS)

Percentile	0.70765
EPSS Score	0.00311
Published At	Nov. 20, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
2024-10-10T04:30:34.342892+00:00	Mozilla Importer	Import	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2024/mfsa2024-51.yml	34.0.2