Vulnerability CVE-2022-45410: Information

Description

When a ServiceWorker intercepted a request with <code>FetchEvent</code>, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2022-45410

Published: Dec. 22, 2022

Modified: Jan. 4, 2023

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
firefox	sisyphus	107.0-alt1	126.0.1-alt1	ALT-PU-2022-3090-1	310119	Fixed
firefox	p10	107.0-alt0.p10.1	118.0.2-alt0.p10.1	ALT-PU-2022-3270-1	310328	Fixed
firefox	c10f1	107.0-alt0.p10.1	112.0.2-alt0.p10.1	ALT-PU-2022-3270-1	310328	Fixed
firefox	p11	107.0-alt1	126.0.1-alt1	ALT-PU-2022-3090-1	310119	Fixed
firefox-esr	sisyphus	102.5.0-alt1	115.11.0-alt1	ALT-PU-2022-3099-1	310102	Fixed
firefox-esr	p10	102.5.0-alt2	115.11.0-alt1	ALT-PU-2022-3340-1	311456	Fixed
firefox-esr	p9	102.6.0-alt0.c9.1	102.11.0-alt0.c9.1	ALT-PU-2023-4336-1	319683	Fixed
firefox-esr	c10f1	115.8.0-alt0.c10.1	115.9.1-alt0.c10.1	ALT-PU-2024-3614-2	340631	Fixed
firefox-esr	c9f2	102.6.0-alt0.c9.1	102.12.0-alt0.c9.1	ALT-PU-2023-1138-1	309126	Fixed
firefox-esr	p11	102.5.0-alt1	115.11.0-alt1	ALT-PU-2022-3099-1	310102	Fixed
thunderbird	sisyphus	102.5.0-alt1	115.9.0-alt1	ALT-PU-2022-3097-1	310101	Fixed
thunderbird	p10	102.5.0-alt1	115.9.0-alt1	ALT-PU-2022-3209-1	310334	Fixed
thunderbird	p9	102.7.1-alt1	102.11.0-alt0.c9.1	ALT-PU-2023-4335-1	319683	Fixed
thunderbird	c10f1	102.5.0-alt1	115.9.0-alt0.c10.1	ALT-PU-2022-3209-1	310334	Fixed
thunderbird	c9f2	102.6.1-alt1	102.11.0-alt0.c9.1	ALT-PU-2023-1137-1	309126	Fixed
thunderbird	p11	102.5.0-alt1	115.9.0-alt1	ALT-PU-2022-3097-1	310101	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1658869	Issue Tracking Permissions Required Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2022-49/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2022-48/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2022-47/	Vendor Advisory

Affected configurations:
1. Configuration 1
  cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
  End excliding
  107.0
  cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
  End excliding
  102.5
  cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
  End excliding
  102.5

Version: v24.5.3

Vulnerability CVE-2022-45410: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1