Search for vulnerabilities
Vulnerability details: VCID-n6fw-n4rm-aaas
Vulnerability ID VCID-n6fw-n4rm-aaas
Aliases CVE-2024-7531
Summary Calling PK11_Encrypt() in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor. In Firefox this only affects the QUIC header protection feature when the connection is using the ChaCha20-Poly1305 cipher suite. The most likely outcome is connection failure, but if the connection persists despite the high packet loss it could be possible for a network observer to identify packets as coming from the same source despite a network path change.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-319 Cleartext Transmission of Sensitive Information
System Score Found at
cvssv3 3.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-7531.json
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00076 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00076 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00076 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00076 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00076 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00076 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00097 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00097 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00097 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00097 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00097 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00097 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00097 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00097 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00097 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00097 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00103 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00103 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00103 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00103 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00103 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00103 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00117 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00117 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00117 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00117 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00124 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00124 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00124 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00124 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00124 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00124 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00124 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00124 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00124 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00124 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00124 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
epss 0.00216 https://api.first.org/data/v1/epss?cve=CVE-2024-7531
cvssv3.1 4.2 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3 6.5 https://nvd.nist.gov/vuln/detail/CVE-2024-7531
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2024-7531
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2024-33
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2024-34
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2024-35
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-7531.json
https://api.first.org/data/v1/epss?cve=CVE-2024-7531
https://bugzilla.mozilla.org/show_bug.cgi?id=1905691
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7519
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7521
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7524
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7525
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7526
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7527
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7529
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7531
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://www.mozilla.org/security/advisories/mfsa2024-33/
https://www.mozilla.org/security/advisories/mfsa2024-34/
https://www.mozilla.org/security/advisories/mfsa2024-35/
2303148 https://bugzilla.redhat.com/show_bug.cgi?id=2303148
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:128.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox_esr:128.0:*:*:*:*:*:*:*
CVE-2024-7531 https://nvd.nist.gov/vuln/detail/CVE-2024-7531
GLSA-202412-04 https://security.gentoo.org/glsa/202412-04
GLSA-202412-06 https://security.gentoo.org/glsa/202412-06
GLSA-202412-13 https://security.gentoo.org/glsa/202412-13
mfsa2024-33 https://www.mozilla.org/en-US/security/advisories/mfsa2024-33
mfsa2024-34 https://www.mozilla.org/en-US/security/advisories/mfsa2024-34
mfsa2024-35 https://www.mozilla.org/en-US/security/advisories/mfsa2024-35
RHSA-2024:6839 https://access.redhat.com/errata/RHSA-2024:6839
USN-6966-1 https://usn.ubuntu.com/6966-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-7531.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-7531
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-7531
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.26932
EPSS Score 0.00060
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
2024-08-06T17:27:22.236180+00:00 Mozilla Importer Import https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2024/mfsa2024-33.yml 34.0.0rc4