CVE-2024-8381: 
NixOS vulnerability analysis and mitigation

A type confusion vulnerability (CVE-2024-8381) was discovered in Mozilla products, reported by security researcher Nils Bars. The vulnerability affects Firefox versions before 130, Firefox ESR versions before 128.2 and 115.15, and Thunderbird versions before 128.2 and 115.15. The issue was disclosed on September 3, 2024, and involves a potentially exploitable type confusion that could be triggered when looking up a property name on an object being used as the with environment (Mozilla Advisory).

The vulnerability is classified as a type confusion issue (CWE-843: Access of Resource Using Incompatible Type). It received a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, no required privileges or user interaction, and high impacts on confidentiality, integrity, and availability (NVD).

The vulnerability has been rated as high impact. In Firefox and Firefox ESR, the type confusion could potentially lead to arbitrary code execution. For Thunderbird, while these flaws generally cannot be exploited through email because scripting is disabled when reading mail, they remain potential risks in browser or browser-like contexts (Mozilla Advisory).

The vulnerability has been fixed in Firefox 130, Firefox ESR 128.2, Firefox ESR 115.15, Thunderbird 128.2, and Thunderbird 115.15. Users are advised to update to these or later versions to mitigate the vulnerability (Mozilla Advisory).