Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2022-45411
CVE-2022-45411:
NixOS vulnerability analysis and mitigation
Overview
Cross-Site Tracing (CVE-2022-45411) is a security vulnerability discovered in web browsers that allows attackers to bypass CORS protections and access sensitive information through HTTP TRACE method. The vulnerability was disclosed on November 15, 2022, affecting major browsers including Firefox, with a moderate severity impact. The issue specifically affects browsers' fetch() and XMLHttpRequest implementations when interacting with servers that support both TRACE method and non-standard HTTP method override headers (Mozilla Advisory).
Technical details
The vulnerability exploits a combination of non-standard HTTP method override headers (x-http-method-override, x-http-method, x-method-override) with the TRACE method to bypass existing browser protections. When servers implement CORS by echoing back the contents of the Access-Control-Request-Headers in the Access-Control-Allow-Headers response header, attackers can use these override headers to execute Cross-Site Tracing attacks that were previously blocked by browser security measures. This bypass allows access to authorization headers and HTTPOnly cookies that should be inaccessible to JavaScript (Mozilla Advisory, Mozilla Bug).
Impact
The vulnerability enables attackers to perform Cross-Site Tracing (XST) attacks, allowing them to access authorization headers and cookies protected by HTTPOnly attributes that are normally inaccessible to JavaScript. This could lead to the exposure of sensitive authentication tokens and other privileged information in scenarios where a server implements both TRACE method and HTTP method override headers (Mozilla Advisory).
Mitigation and workarounds
The vulnerability was addressed in Firefox 107 and Firefox ESR 102.5 by applying mitigations to the use of HTTP method override headers in fetch() and XMLHttpRequest implementations. The fix prevents the use of TRACE method through override headers, maintaining the existing security protections against Cross-Site Tracing attacks (Mozilla Advisory).
Community reactions
The vulnerability was acknowledged as a security issue by major browser vendors, leading to coordinated fixes across different browsers. Mozilla awarded a security bug bounty for the report, acknowledging that while it wasn't strictly a browser bug, the fix made users safer. The issue also prompted updates to the Fetch specification to address the security implications of HTTP method override headers (Mozilla Bug).
Additional resources
Source: This report was generated using AI
Related NixOS vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management