Cross-site tracing in Mozilla products - CVE-2022-45411
Published: November 15, 2022
Vulnerability identifier: #VU69327
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-45411
CWE-ID: CWE-254
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Mozilla
Affected software:
Mozilla Firefox
Firefox ESR
Firefox for Android
Mozilla Firefox
Firefox ESR
Firefox for Android
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when handling non-standard headers. Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript (such as cookies protected by HTTPOnly). To mitigate this attack, browsers placed limits on fetch() and XMLHttpRequest; however some webservers have implemented non-standard headers such as X-Http-Method-Override
that override the HTTP method, and made this attack possible again.
How to mitigate CVE-2022-45411
Install updates from vendor's website.