{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-45410", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "dateUpdated": "2024-08-03T14:09:57.033Z", "dateReserved": "2022-11-14T00:00:00", "datePublished": "2022-12-22T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2022-12-22T00:00:00"}, "descriptions": [{"lang": "en", "value": "When a ServiceWorker intercepted a request with <code>FetchEvent</code>, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107."}], "affected": [{"vendor": "Mozilla", "product": "Firefox ESR", "versions": [{"version": "unspecified", "lessThan": "102.5", "status": "affected", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"version": "unspecified", "lessThan": "102.5", "status": "affected", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Firefox", "versions": [{"version": "unspecified", "lessThan": "107", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://www.mozilla.org/security/advisories/mfsa2022-47/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-49/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-48/"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1658869"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "ServiceWorker-intercepted requests bypassed SameSite cookie policy"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:09:57.033Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.mozilla.org/security/advisories/mfsa2022-47/", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-49/", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-48/", "tags": ["x_transferred"]}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1658869", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "127E4452-84FE-49E3-A2EF-9C40C43A1FA6", "versionEndExcluding": "107.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC9380F7-F01F-4EA7-80D0-FD50AD5B292A", "versionEndExcluding": "102.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "25B4CDCF-8F95-4022-8B9F-82675E9E39B5", "versionEndExcluding": "102.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When a ServiceWorker intercepted a request with <code>FetchEvent</code>, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107."}, {"lang": "es", "value": "Cuando un ServiceWorker intercept\u00f3 una solicitud con <code>FetchEvent</code>, el origen de la solicitud se perdi\u00f3 despu\u00e9s de que ServiceWorker tom\u00f3 posesi\u00f3n de ella. Esto tuvo el efecto de anular las protecciones de cookies de SameSite. Esto se solucion\u00f3 en la especificaci\u00f3n y luego en los navegadores. Esta vulnerabilidad afecta a Firefox ESR &lt; 102,5, Thunderbird &lt; 102.5 y Firefox &lt; 107."}], "id": "CVE-2022-45410", "lastModified": "2023-01-04T17:43:48.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-22T20:15:43.067", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1658869"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-47/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-48/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-49/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Dongsung Kim as the original reporter.", "affected_release": [{"advisory": "RHSA-2022:8552", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "firefox-0:102.5.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-11-21T00:00:00Z"}, {"advisory": "RHSA-2022:8555", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:102.5.0-2.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-11-21T00:00:00Z"}, {"advisory": "RHSA-2022:8547", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:102.5.0-2.el8_7", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-11-21T00:00:00Z"}, {"advisory": "RHSA-2022:8554", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:102.5.0-1.el8_7", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-11-21T00:00:00Z"}, {"advisory": "RHSA-2022:8553", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "firefox-0:102.5.0-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-11-21T00:00:00Z"}, {"advisory": "RHSA-2022:8556", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "thunderbird-0:102.5.0-2.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-11-21T00:00:00Z"}, {"advisory": "RHSA-2022:8543", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "thunderbird-0:102.5.0-2.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2022-11-21T00:00:00Z"}, {"advisory": "RHSA-2022:8550", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "firefox-0:102.5.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2022-11-21T00:00:00Z"}, {"advisory": "RHSA-2022:8543", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "thunderbird-0:102.5.0-2.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2022-11-21T00:00:00Z"}, {"advisory": "RHSA-2022:8550", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "firefox-0:102.5.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2022-11-21T00:00:00Z"}, {"advisory": "RHSA-2022:8543", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "thunderbird-0:102.5.0-2.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2022-11-21T00:00:00Z"}, {"advisory": "RHSA-2022:8550", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "firefox-0:102.5.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2022-11-21T00:00:00Z"}, {"advisory": "RHSA-2022:8544", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "thunderbird-0:102.5.0-2.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-11-21T00:00:00Z"}, {"advisory": "RHSA-2022:8549", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "firefox-0:102.5.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-11-21T00:00:00Z"}, {"advisory": "RHSA-2022:8545", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "thunderbird-0:102.5.0-2.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2022-11-21T00:00:00Z"}, {"advisory": "RHSA-2022:8548", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "firefox-0:102.5.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2022-11-21T00:00:00Z"}, {"advisory": "RHSA-2022:8561", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:102.5.0-2.el9_1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-11-21T00:00:00Z"}, {"advisory": "RHSA-2022:8580", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:102.5.0-1.el9_1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-11-22T00:00:00Z"}, {"advisory": "RHSA-2022:8979", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "firefox-0:102.5.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2022-12-13T00:00:00Z"}, {"advisory": "RHSA-2022:8980", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "thunderbird-0:102.5.0-2.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2022-12-13T00:00:00Z"}], "bugzilla": {"description": "Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy", "id": "2143203", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143203"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-1275", "details": ["When a ServiceWorker intercepted a request with <code>FetchEvent</code>, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.", "The Mozilla Foundation Security Advisory describes this flaw as: When a ServiceWorker intercepted a request with FetchEvent, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers."], "name": "CVE-2022-45410", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2022-11-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-45410\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-45410\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2022-48/#CVE-2022-45410\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2022-49/#CVE-2022-45410"], "threat_severity": "Moderate", "upstream_fix": "firefox 102.5, thunderbird 102.5"}