CVE Vulnerability

CVE-2022-45410

When a ServiceWorker intercepted a request with FetchEvent, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1658869 Issue Tracking Permissions Required
https://www.mozilla.org/security/advisories/mfsa2022-49/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2022-48/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2022-47/ Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Information

Published : 2022-12-22 08:15

Updated : 2023-01-04 05:43

NVD link : CVE-2022-45410

Mitre link : CVE-2022-45410

Products Affected
No products.
CWE
NVD-CWE-noinfo