Alpine: thunderbird: security update to 91.5.0-r0

critical Tenable Cloud Security Plugin ID 426118

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson
Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox 95 and Firefox ESR
91.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some
of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 91.5,
Firefox < 96, and Thunderbird < 91.5. (CVE-2022-22751)

- It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox. This
vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. (CVE-2021-4140)

- Constructing audio sinks could have lead to a race condition when playing audio files and closing windows.
This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability
affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. (CVE-2022-22737)

- Applying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-
buffer-overflow causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5,
Firefox < 96, and Thunderbird < 91.5. (CVE-2022-22738)

- Malicious websites could have tricked users into accepting launching a program to handle an external URL
protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.
(CVE-2022-22739)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-4140

https://security.alpinelinux.org/vuln/CVE-2022-22737

https://security.alpinelinux.org/vuln/CVE-2022-22738

https://security.alpinelinux.org/vuln/CVE-2022-22739

https://security.alpinelinux.org/vuln/CVE-2022-22740

https://security.alpinelinux.org/vuln/CVE-2022-22741

https://security.alpinelinux.org/vuln/CVE-2022-22742

https://security.alpinelinux.org/vuln/CVE-2022-22743

https://security.alpinelinux.org/vuln/CVE-2022-22744

https://security.alpinelinux.org/vuln/CVE-2022-22745

https://security.alpinelinux.org/vuln/CVE-2022-22746

https://security.alpinelinux.org/vuln/CVE-2022-22747

https://security.alpinelinux.org/vuln/CVE-2022-22748

https://security.alpinelinux.org/vuln/CVE-2022-22751

Plugin Details

Severity: Critical

ID: 426118

Version: Revision 1.6

Type: Local

Published: 5/16/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.09

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-22751

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2021-4140

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 1/11/2022

Reference Information

CVE: CVE-2021-4140, CVE-2022-22737, CVE-2022-22738, CVE-2022-22739, CVE-2022-22740, CVE-2022-22741, CVE-2022-22742, CVE-2022-22743, CVE-2022-22744, CVE-2022-22745, CVE-2022-22746, CVE-2022-22747, CVE-2022-22748, CVE-2022-22751

IAVA: 2022-A-0017-S