Alpine: multiple firefox packages: security update to 80.0-r0

high Tenable Cloud Security Plugin ID 404371

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- If Firefox is installed to a user-writable directory, the Mozilla Maintenance Service would execute
updater.exe from the install location with system privileges. Although the Mozilla Maintenance Service
does ensure that updater.exe is signed by Mozilla, the version could have been rolled back to a previous
version which would have allowed exploitation of an older bug and arbitrary code execution with System
Privileges. *Note: This issue only affected Windows operating systems. Other operating systems are
unaffected.*. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox
ESR < 68.12, and Firefox ESR < 78.2. (CVE-2020-15663)

- When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which
leaked partial information about the nonce used during signature generation. Given an electro-magnetic
trace of a few signature generations, the private key could have been computed. This vulnerability affects
Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)

- When converting coordinates from projective to affine, the modular inversion was not performed in constant
time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80
and Firefox for Android < 80. (CVE-2020-12400)

- During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar
multiplication was removed, resulting in variable-time execution dependent on secret data. This
vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-12400

https://security.alpinelinux.org/vuln/CVE-2020-12401

https://security.alpinelinux.org/vuln/CVE-2020-15663

https://security.alpinelinux.org/vuln/CVE-2020-15664

https://security.alpinelinux.org/vuln/CVE-2020-15665

https://security.alpinelinux.org/vuln/CVE-2020-15666

https://security.alpinelinux.org/vuln/CVE-2020-15667

https://security.alpinelinux.org/vuln/CVE-2020-15668

https://security.alpinelinux.org/vuln/CVE-2020-15670

https://security.alpinelinux.org/vuln/CVE-2020-6829

Plugin Details

Severity: High

ID: 404371

Version: Revision 1.29

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2020-15663

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2020-15670

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 8/13/2020

Reference Information

CVE: CVE-2020-12400, CVE-2020-12401, CVE-2020-15663, CVE-2020-15664, CVE-2020-15665, CVE-2020-15666, CVE-2020-15667, CVE-2020-15668, CVE-2020-15670, CVE-2020-6829

IAVA: 2020-A-0391-S