Alpine: multiple firefox-esr packages: security update to 102.5.0-r0

critical Tenable Cloud Security Plugin ID 404399

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Mozilla developers Andrew McCreight and Gabriele Svelto reported memory safety bugs present in Thunderbird
102.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some
of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.5,
Thunderbird < 102.5, and Firefox < 107. (CVE-2022-45421)

- Service Workers should not be able to infer information about opaque cross-origin responses; but timing
information for cross-origin media combined with Range requests might have allowed them to determine the
presence or length of a media file. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5,
and Firefox < 107. (CVE-2022-45403)

- Through a series of popup and <code>window.print()</code> calls, an attacker can cause a window to go
fullscreen without the user seeing the notification prompt, resulting in potential user confusion or
spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
(CVE-2022-45404)

- Freeing arbitrary <code>nsIInputStream</code>'s on a different thread than creation could have led to a
use-after-free and potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5,
Thunderbird < 102.5, and Firefox < 107. (CVE-2022-45405)

- If an out-of-memory condition occurred when creating a JavaScript global, a JavaScript realm may be
deleted while references to it lived on in a BaseShape. This could lead to a use-after-free causing a
potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and
Firefox < 107. (CVE-2022-45406)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-45403

https://security.alpinelinux.org/vuln/CVE-2022-45404

https://security.alpinelinux.org/vuln/CVE-2022-45405

https://security.alpinelinux.org/vuln/CVE-2022-45406

https://security.alpinelinux.org/vuln/CVE-2022-45408

https://security.alpinelinux.org/vuln/CVE-2022-45409

https://security.alpinelinux.org/vuln/CVE-2022-45410

https://security.alpinelinux.org/vuln/CVE-2022-45411

https://security.alpinelinux.org/vuln/CVE-2022-45412

https://security.alpinelinux.org/vuln/CVE-2022-45416

https://security.alpinelinux.org/vuln/CVE-2022-45418

https://security.alpinelinux.org/vuln/CVE-2022-45420

https://security.alpinelinux.org/vuln/CVE-2022-45421

Plugin Details

Severity: Critical

ID: 404399

Version: Revision 1.28

Type: Local

Published: 10/31/2023

Updated: 12/4/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.92

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-45421

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2022-45406

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 11/15/2022

Reference Information

CVE: CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420, CVE-2022-45421