Alpine: multiple firefox-esr packages: security update to 102.6.0-r0

critical Tenable Cloud Security Plugin ID 404400

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A use-after-free in WebGL extensions could have led to a potentially exploitable crash. This vulnerability
affects Firefox < 107, Firefox ESR < 102.6, and Thunderbird < 102.6. (CVE-2022-46882)

- An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary
files via clipboard-related IPC messages.<br>*This bug only affects Thunderbird for Linux. Other operating
systems are unaffected.*. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird <
102.6. (CVE-2022-46872)

- A file with a long filename could have had its filename truncated to remove the valid extension, leaving a
malicious extension in its place. This could potentially led to user confusion and the execution of
malicious code.<br/>*Note*: This issue was originally included in the advisories for Thunderbird 102.6,
but a patch (specific to Thunderbird) was omitted, resulting in it actually being fixed in Thunderbird
102.6.1. This vulnerability affects Firefox < 108, Thunderbird < 102.6.1, Thunderbird < 102.6, and Firefox
ESR < 102.6. (CVE-2022-46874)

- The executable file warning was not presented when downloading .atloc and .ftploc files, which can run
commands on a user's computer. <br>*Note: This issue only affected Mac OS operating systems. Other
operating systems are unaffected.*. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and
Thunderbird < 102.6. (CVE-2022-46875)

- Mozilla developers Randell Jesup, Valentin Gosu, Olli Pettay, and the Mozilla Fuzzing Team reported memory
safety bugs present in Thunderbird 102.5. Some of these bugs showed evidence of memory corruption and we
presume that with enough effort some of these could have been exploited to run arbitrary code. This
vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6. (CVE-2022-46878)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-46872

https://security.alpinelinux.org/vuln/CVE-2022-46874

https://security.alpinelinux.org/vuln/CVE-2022-46875

https://security.alpinelinux.org/vuln/CVE-2022-46878

https://security.alpinelinux.org/vuln/CVE-2022-46880

https://security.alpinelinux.org/vuln/CVE-2022-46881

https://security.alpinelinux.org/vuln/CVE-2022-46882

Plugin Details

Severity: Critical

ID: 404400

Version: Revision 1.33

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.47

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-46882

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 11/25/2022

Reference Information

CVE: CVE-2022-46872, CVE-2022-46874, CVE-2022-46875, CVE-2022-46878, CVE-2022-46880, CVE-2022-46881, CVE-2022-46882