CVE-2024-6612: 
NixOS vulnerability analysis and mitigation

CVE-2024-6612 is a security vulnerability discovered in Firefox and Thunderbird versions below 128. The vulnerability was reported by Aidan Stephenson & Yannik Marchand and was disclosed on July 9, 2024. The issue affects the Content Security Policy (CSP) violation handling in the developer tools console (Mozilla Advisory).

The vulnerability occurs when CSP violations generate links in the console tab of the developer tools, pointing to the violating resource. This implementation flaw causes a DNS prefetch which leaks information about CSP violations. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, and is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability has been rated as having a low impact by Mozilla. It results in information disclosure by leaking that a CSP violation occurred through DNS prefetch operations. This could potentially allow attackers to gather information about security policy violations on the target system (Mozilla Advisory).

The vulnerability has been fixed in Firefox 128 and Thunderbird 128. Users are advised to upgrade to these versions or later to mitigate the vulnerability. For Ubuntu users, Firefox 128.0+build2-0ubuntu0.20.04.1 has been released for Ubuntu 20.04 LTS to address this issue (Ubuntu Security).