CVE-2024-10467: 
NixOS vulnerability analysis and mitigation

CVE-2024-10467 is a memory safety vulnerability discovered in Mozilla products. The vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. The issue was identified by Andrew McCreight and the Mozilla Fuzzing Team, and was officially disclosed on October 29, 2024 (Mozilla Advisory).

The vulnerability involves memory safety bugs present in Firefox 131, Firefox ESR 128.3, and Thunderbird 128.3. These bugs exhibited evidence of memory corruption that could potentially be exploited to execute arbitrary code. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H by NIST NVD, while CISA-ADP rated it with a CVSS score of 9.8 (CRITICAL) (NVD).

The vulnerability could potentially allow attackers to execute arbitrary code on affected systems. The high CVSS scores indicate that successful exploitation could lead to a complete compromise of system confidentiality, integrity, and availability. The vulnerability affects multiple versions of popular Mozilla products, including both Firefox and Thunderbird, potentially putting a large number of users at risk (Mozilla Advisory).

Mozilla has addressed this vulnerability by releasing security updates in Firefox 132, Firefox ESR 128.4, Thunderbird 128.4, and Thunderbird 132. Users are strongly advised to update their installations to these latest versions to mitigate the risk (Mozilla Advisory).