Detections
Analytics
Alpine: multiple firefox-esr packages: security update to 115.2.0-r0
high Tenable Cloud Security Plugin ID 404407
Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:- Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs
showed evidence of memory corruption and we presume that with enough effort some of these could have been
exploited to run arbitrary code. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and
Thunderbird < 115.2. (CVE-2023-4585)
- A website could have obscured the full screen notification by using the file open dialog. This could have
led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 116, Firefox ESR
< 115.2, and Thunderbird < 115.2. (CVE-2023-4051)
- A website could have obscured the full screen notification by using a URL with a scheme handled by an
external program, such as a mailto URL. This could have led to user confusion and possible spoofing
attacks. This vulnerability affects Firefox < 116, Firefox ESR < 115.2, and Thunderbird < 115.2.
(CVE-2023-4053)
- When receiving rendering data over IPC `mStream` could have been destroyed when initialized, which could
have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox <
117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and Thunderbird < 115.2.
(CVE-2023-4573)
- When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks
could have been created at a time and eventually all simultaneously destroyed as soon as one of the
callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash. This
vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15, and
Thunderbird < 115.2. (CVE-2023-4574)
See Also
https://security.alpinelinux.org/vuln/CVE-2023-4051
https://security.alpinelinux.org/vuln/CVE-2023-4053
https://security.alpinelinux.org/vuln/CVE-2023-4573
https://security.alpinelinux.org/vuln/CVE-2023-4574
https://security.alpinelinux.org/vuln/CVE-2023-4575
https://security.alpinelinux.org/vuln/CVE-2023-4576
https://security.alpinelinux.org/vuln/CVE-2023-4577
https://security.alpinelinux.org/vuln/CVE-2023-4578
https://security.alpinelinux.org/vuln/CVE-2023-4580
https://security.alpinelinux.org/vuln/CVE-2023-4581
https://security.alpinelinux.org/vuln/CVE-2023-4582
https://security.alpinelinux.org/vuln/CVE-2023-4583
Plugin Details
Severity: High
ID: 404407
Version: Revision 1.29
Type: Local
Published: 10/31/2023
Updated: 6/19/2026
Supported Sensors: Agentless Assessment
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 7.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2023-4585
CVSS v3
Risk Factor: High
Base Score: 8.8
Temporal Score: 7.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
Exploit Ease: No known exploits are available
Vulnerability Publication Date: 8/1/2023
Reference Information
CVE: CVE-2023-4051, CVE-2023-4053, CVE-2023-4573, CVE-2023-4574, CVE-2023-4575, CVE-2023-4576, CVE-2023-4577, CVE-2023-4578, CVE-2023-4580, CVE-2023-4581, CVE-2023-4582, CVE-2023-4583, CVE-2023-4584, CVE-2023-4585