Alpine: multiple firefox packages: security update to 71.0.1-r0

high Tenable Cloud Security Plugin ID 404363

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type
confusion. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects
Firefox ESR < 68.4.1, Thunderbird < 68.4.1, and Firefox < 72.0.1. (CVE-2019-17026)

- When pasting a &lt;style&gt; tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly
rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in
data exfiltration. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72. (CVE-2019-17016)

- Due to a missing case handling object types, a type confusion vulnerability could occur, resulting in a
crash. We presume that with enough effort that it could be exploited to run arbitrary code. This
vulnerability affects Firefox ESR < 68.4 and Firefox < 72. (CVE-2019-17017)

- If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the
Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g.
includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to the
XML document. This vulnerability affects Firefox < 72. (CVE-2019-17020)

- When pasting a &lt;style&gt; tag from the clipboard into a rich text editor, the CSS sanitizer does not
escape &lt; and &gt; characters. Because the resulting string is pasted directly into the text node of the
element this does not result in a direct injection into the webpage; however, if a webpage subsequently
copies the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability.
Two WYSIWYG editors were identified with this behavior, more may exist. This vulnerability affects Firefox
ESR < 68.4 and Firefox < 72. (CVE-2019-17022)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-17016

https://security.alpinelinux.org/vuln/CVE-2019-17017

https://security.alpinelinux.org/vuln/CVE-2019-17020

https://security.alpinelinux.org/vuln/CVE-2019-17022

https://security.alpinelinux.org/vuln/CVE-2019-17023

https://security.alpinelinux.org/vuln/CVE-2019-17024

https://security.alpinelinux.org/vuln/CVE-2019-17025

https://security.alpinelinux.org/vuln/CVE-2019-17026

Plugin Details

Severity: High

ID: 404363

Version: Revision 1.34

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.67

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-17026

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 1/7/2020

CISA Known Exploited Vulnerability Due Dates: 5/3/2022

Reference Information

CVE: CVE-2019-17016, CVE-2019-17017, CVE-2019-17020, CVE-2019-17022, CVE-2019-17023, CVE-2019-17024, CVE-2019-17025, CVE-2019-17026

IAVA: 2020-A-0002-S