CVE-2024-1551: 
NixOS vulnerability analysis and mitigation

CVE-2024-1551 is a security vulnerability discovered in Mozilla Firefox browsers and Thunderbird email client that affects versions of Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. The vulnerability involves Set-Cookie response headers being incorrectly honored in multipart HTTP responses, where an attacker with control over the Content-Type response header and response body could inject Set-Cookie response headers that would be honored by the browser (Mozilla Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. It is classified under CWE-565 (Reliance on Cookies without Validation and Integrity Checking). The issue specifically occurs when processing multipart HTTP responses, where Set-Cookie headers from response parts were incorrectly being honored, contrary to expected behavior (NVD).

If exploited, an attacker who can control both the Content-Type response header and part of the response body could inject Set-Cookie response headers that would be honored by the browser. This could potentially lead to unauthorized cookie manipulation and session-related attacks (Mozilla Advisory).

The vulnerability has been fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. Users are advised to upgrade to these versions or later to mitigate the risk. The fix involves blocking Set-Cookie headers from multipart HTTP responses (Red Hat).