Уязвимость утечки информации о нажатии клавиш в Mozilla Firefox и Thunderbird из-за некорректной обработки ссылок на объект "Keyboard events"
Описание
Злоумышленник способен использовать кэшевые временные атаки, такие как Prime+Probe, для определения, какие клавиши нажимаются. Это становится возможным из-за того, что строковые ссылки на Keyboard events, такие как KeyA, находятся по фиксированным, известным и широко распространенным адресам.
Затронутые версии ПО
- Firefox ESR < 102.5
- Thunderbird < 102.5
- Firefox < 107
Тип уязвимости
Утечка информации
Ссылки
- Issue TrackingPermissions RequiredVendor Advisory
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
- Issue TrackingPermissions RequiredVendor Advisory
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
Уязвимые конфигурации
Одно из
EPSS
6.5 Medium
CVSS3
Дефекты
Связанные уязвимости
Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
Keyboard events reference strings like "KeyA" that were at fixed, know ...
Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
Уязвимость браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, связанная с ошибками в настройках безопасности, позволяющая нарушителю раскрыть защищаемую информацию
EPSS
6.5 Medium
CVSS3