CVE-2022-31736 — Permissive Cross-domain Security Policy with Untrusted Domains in Mozilla Firefox

CWE-942 — Permissive Cross-domain Security Policy with Untrusted Domains CWE-829 — Inclusion of Functionality from Untrusted Control Sphere12 documents8 sources

Severity

9.8CRITICALNVD

OSV6.5

EPSS

0.2%

top 55.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedDec 22

Description

A malicious website could have learned the size of a cross-origin resource that supported Range requests. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages8 packages

▶CVEListV5mozilla/firefoxunspecified — 101

▶NVDmozilla/firefox< 101

▶CVEListV5mozilla/firefox_esrunspecified — 91.10

▶NVDmozilla/firefox_esr< 91.10

▶CVEListV5mozilla/thunderbirdunspecified — 91.10

🔴Vulnerability Details

CVEList

CVE-2022-31736: A malicious website could have learned the size of a cross-origin resource that supported Range requests↗2022-12-22

▶

OSV

CVE-2022-31736: A malicious website could have learned the size of a cross-origin resource that supported Range requests↗2022-12-22

▶

GHSA

GHSA-4765-j7w9-p387: A malicious website could have learned the size of a cross-origin resource that supported Range requests↗2022-12-22

▶

OSV

thunderbird vulnerabilities↗2022-07-14

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2022-07-14

▶

Ubuntu

Firefox vulnerabilities↗2022-06-13

▶

Red Hat

Mozilla: Cross-Origin resource's length leaked↗2022-05-31

▶

Debian

CVE-2022-31736: firefox - A malicious website could have learned the size of a cross-origin resource that ...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-21: CVE-2022-31736↗

▶