CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
39.5%
Cross-Site Tracing occurs when a server will echo a request back via the
Trace method, allowing an XSS attack to access to authorization headers and
cookies inaccessible to JavaScript (such as cookies protected by HTTPOnly).
To mitigate this attack, browsers placed limits on <code>fetch()</code> and
XMLHttpRequest; however some webservers have implemented non-standard
headers such as <code>X-Http-Method-Override</code> that override the HTTP
method, and made this attack possible again. Thunderbird has applied the
same mitigations to the use of this and similar headers. This vulnerability
affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
Author | Note |
---|---|
tyhicks | mozjs contains a copy of the SpiderMonkey JavaScript engine |
mdeslaur | starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | mozjs38 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | mozjs52 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | mozjs52 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | mozjs68 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | mozjs78 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | mozjs91 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | thunderbird | < 1:102.7.1+build2-0ubuntu0.18.04.1 | UNKNOWN |
ubuntu | 20.04 | noarch | thunderbird | < 1:102.7.1+build2-0ubuntu0.20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | thunderbird | < 1:102.7.1+build2-0ubuntu0.22.04.1 | UNKNOWN |
ubuntu | 22.10 | noarch | thunderbird | < 1:102.7.1+build2-0ubuntu0.22.10.1 | UNKNOWN |
launchpad.net/bugs/cve/CVE-2022-45411
nvd.nist.gov/vuln/detail/CVE-2022-45411
security-tracker.debian.org/tracker/CVE-2022-45411
ubuntu.com/security/notices/USN-5726-1
ubuntu.com/security/notices/USN-5824-1
www.cve.org/CVERecord?id=CVE-2022-45411
www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45411
www.mozilla.org/en-US/security/advisories/mfsa2022-48/#CVE-2022-45411
www.mozilla.org/en-US/security/advisories/mfsa2022-49/#CVE-2022-45411