Alpine: multiple firefox-esr packages: security update to 78.2.0-r0

high Tenable Cloud Security Plugin ID 425997

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- If Firefox is installed to a user-writable directory, the Mozilla Maintenance Service would execute
updater.exe from the install location with system privileges. Although the Mozilla Maintenance Service
does ensure that updater.exe is signed by Mozilla, the version could have been rolled back to a previous
version which would have allowed exploitation of an older bug and arbitrary code execution with System
Privileges. *Note: This issue only affected Windows operating systems. Other operating systems are
unaffected.*. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox
ESR < 68.12, and Firefox ESR < 78.2. (CVE-2020-15663)

- By holding a reference to the eval() function from an about:blank window, a malicious webpage could have
gained access to the InstallTrigger object which would allow them to prompt the user to install an
extension. Combined with user confusion, this could result in an unintended or malicious extension being
installed. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR <
68.12, Firefox ESR < 78.2, and Firefox for Android < 80. (CVE-2020-15664)

- Mozilla developers reported memory safety bugs present in Firefox for Android 79. Some of these bugs
showed evidence of memory corruption and we presume that with enough effort some of these could have been
exploited to run arbitrary code. This vulnerability affects Firefox < 80, Firefox ESR < 78.2, Thunderbird
< 78.2, and Firefox for Android < 80. (CVE-2020-15670)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-15663

https://security.alpinelinux.org/vuln/CVE-2020-15664

https://security.alpinelinux.org/vuln/CVE-2020-15670

Plugin Details

Severity: High

ID: 425997

Version: Revision 1.3

Type: Local

Published: 5/16/2025

Updated: 1/21/2026

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2020-15663

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2020-15670

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 8/25/2020

Reference Information

CVE: CVE-2020-15663, CVE-2020-15664, CVE-2020-15670