CVE-2024-6601: 
NixOS vulnerability analysis and mitigation

CVE-2024-6601 is a race condition vulnerability discovered in Mozilla products that was disclosed on July 9, 2024. The vulnerability affects Firefox versions prior to 128, Firefox ESR versions before 115.13, Thunderbird versions before 115.13, and Thunderbird versions before 128. The vulnerability was reported by security researcher Andreas Farre (Mozilla Advisory).

The vulnerability is classified as a race condition that could allow a cross-origin container to obtain permissions of the top-level origin. The severity is rated as moderate according to Mozilla's impact assessment. The vulnerability has been assigned CWE-367 (Time-of-check Time-of-use Race Condition) by CISA-ADP, with a CVSS v3.1 base score of 4.7 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L (NVD).

The vulnerability could potentially allow a malicious cross-origin container to gain unauthorized permissions that should only be available to the top-level origin. This could lead to privilege escalation and potential security boundary violations in affected Mozilla products (Mozilla Advisory).

The vulnerability has been fixed in Firefox 128, Firefox ESR 115.13, Thunderbird 115.13, and Thunderbird 128. Users are advised to update their Mozilla products to these versions or later to mitigate the vulnerability (Red Hat).