CVE-2024-5690
Published: 11 June 2024
Summary
CVE-2024-5690 is a medium-severity Observable Discrepancy (CWE-203) vulnerability in Mozilla Firefox. Its CVSS base score is 4.3 (Medium).
Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-5690 is a timing-based information disclosure vulnerability stemming from observable discrepancies in how certain operations execute. It affects Firefox versions prior to 127, Firefox ESR versions prior to 115.12, and Thunderbird versions prior to 115.12, allowing an attacker to infer the presence of functional external protocol handlers on a target system through measurement of operation durations. The issue is tracked under CWE-203 and carries a CVSS 3.1 score of 4.3.
An unauthenticated remote attacker can exploit the flaw by serving malicious web content that triggers and times specific operations, requiring user interaction such as visiting a crafted page. Successful exploitation yields limited information about which external protocol handlers are active, potentially aiding further reconnaissance or targeted attacks without direct code execution or privilege escalation.
Mozilla security advisories MFSA2024-25 and MFSA2024-26, along with corresponding Debian LTS announcements, direct users to apply the fixed releases (Firefox 127, ESR 115.12, and Thunderbird 115.12) as the primary mitigation. The referenced Bugzilla entry provides additional technical detail on the root cause and resolution.
EPSS scores for this CVE have remained flat at 0.0588 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-46862
Vulnerability details
By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Misdirection can normalize or falsify responses to eliminate observable discrepancies that aid reconnaissance.
Observable discrepancies in system behavior can be modulated to create covert storage or timing channels; the required analysis detects and constrains such avenues.
Prevents attackers from using observable differences in error responses to infer internal system details or state.