CVE-2022-45410

When a ServiceWorker intercepted a request with <code>FetchEvent</code>, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

History

15 Apr 2025, 15:16

Type Values Removed Values Added
CWE CWE-862

21 Nov 2024, 07:29

Type Values Removed Values Added
Summary
  • (es) Cuando un ServiceWorker interceptó una solicitud con <code>FetchEvent</code>, el origen de la solicitud se perdió después de que ServiceWorker tomó posesión de ella. Esto tuvo el efecto de anular las protecciones de cookies de SameSite. Esto se solucionó en la especificación y luego en los navegadores. Esta vulnerabilidad afecta a Firefox ESR &lt; 102,5, Thunderbird &lt; 102.5 y Firefox &lt; 107.
References () https://bugzilla.mozilla.org/show_bug.cgi?id=1658869 - Issue Tracking, Permissions Required, Vendor Advisory () https://bugzilla.mozilla.org/show_bug.cgi?id=1658869 - Issue Tracking, Permissions Required, Vendor Advisory
References () https://www.mozilla.org/security/advisories/mfsa2022-47/ - Vendor Advisory () https://www.mozilla.org/security/advisories/mfsa2022-47/ - Vendor Advisory
References () https://www.mozilla.org/security/advisories/mfsa2022-48/ - Vendor Advisory () https://www.mozilla.org/security/advisories/mfsa2022-48/ - Vendor Advisory
References () https://www.mozilla.org/security/advisories/mfsa2022-49/ - Vendor Advisory () https://www.mozilla.org/security/advisories/mfsa2022-49/ - Vendor Advisory

Information

Published : 2022-12-22 20:15

Updated : 2025-04-15 15:16


NVD link : CVE-2022-45410

Mitre link : CVE-2022-45410

CVE.ORG link : CVE-2022-45410


JSON object : View

Products Affected

mozilla

  • thunderbird
  • firefox_esr
  • firefox
CWE
NVD-CWE-noinfo CWE-862

Missing Authorization