Alpine: multiple firefox-esr packages: security update to 102.8.0-r0

high Tenable Cloud Security Plugin ID 404402

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Memory safety bugs present in Firefox ESR 102.7. Some of these bugs showed evidence of memory corruption
and we presume that with enough effort some of these could have been exploited to run arbitrary code. This
vulnerability affects Thunderbird < 102.8 and Firefox ESR < 102.8. (CVE-2023-25746)

- An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory
writes via PKCS 12 Safe Bag attributes being mishandled. This vulnerability affects Firefox < 110,
Thunderbird < 102.8, and Firefox ESR < 102.8. (CVE-2023-0767)

- The <code>Content-Security-Policy-Report-Only</code> header could allow an attacker to leak a child
iframe's unredacted URI when interaction with that iframe triggers a redirect. This vulnerability affects
Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. (CVE-2023-25728)

- Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code>
resulting in extensions being able to open them without user interaction via
<code>ExpandedPrincipals</code>. This could lead to further malicious actions such as downloading files or
interacting with software already installed on the system. This vulnerability affects Firefox < 110,
Thunderbird < 102.8, and Firefox ESR < 102.8. (CVE-2023-25729)

- A background script invoking <code>requestFullscreen</code> and then blocking the main thread could force
the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks.
This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. (CVE-2023-25730)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-0767

https://security.alpinelinux.org/vuln/CVE-2023-25728

https://security.alpinelinux.org/vuln/CVE-2023-25729

https://security.alpinelinux.org/vuln/CVE-2023-25730

https://security.alpinelinux.org/vuln/CVE-2023-25732

https://security.alpinelinux.org/vuln/CVE-2023-25734

https://security.alpinelinux.org/vuln/CVE-2023-25735

https://security.alpinelinux.org/vuln/CVE-2023-25737

https://security.alpinelinux.org/vuln/CVE-2023-25738

https://security.alpinelinux.org/vuln/CVE-2023-25739

https://security.alpinelinux.org/vuln/CVE-2023-25742

https://security.alpinelinux.org/vuln/CVE-2023-25744

https://security.alpinelinux.org/vuln/CVE-2023-25746

Plugin Details

Severity: High

ID: 404402

Version: Revision 1.30

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-25746

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/14/2023

Reference Information

CVE: CVE-2023-0767, CVE-2023-25728, CVE-2023-25729, CVE-2023-25730, CVE-2023-25732, CVE-2023-25734, CVE-2023-25735, CVE-2023-25737, CVE-2023-25738, CVE-2023-25739, CVE-2023-25742, CVE-2023-25744, CVE-2023-25746