Alpine: thunderbird: security update to 91.4.0-r0

critical Tenable Cloud Security Plugin ID 426814

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC
occurring within the call not tracing those live pointers. This could have led to a use-after-free causing
a potentially exploitable crash. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0,
and Firefox < 95. (CVE-2021-43539)

- Mozilla developers and community members Julian Hector, Randell Jesup, Gabriele Svelto, Tyson Smith,
Christian Holler, and Masayuki Nakano reported memory safety bugs present in Firefox 94. Some of these
bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
been exploited to run arbitrary code. This vulnerability affects Firefox < 95, Firefox ESR < 91.4.0, and
Thunderbird < 91.4.0. (CVE-2021-4129)

- Thunderbird unexpectedly enabled JavaScript in the composition area. The JavaScript execution context was
limited to this area and did not receive chrome-level privileges, but could be used as a stepping stone to
further an attack with other vulnerabilities. This vulnerability affects Thunderbird < 91.4.0.
(CVE-2021-43528)

- Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the
target URL. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.
(CVE-2021-43536)

- An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory
leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR <
91.4.0, and Firefox < 95. (CVE-2021-43537)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-4129

https://security.alpinelinux.org/vuln/CVE-2021-43528

https://security.alpinelinux.org/vuln/CVE-2021-43536

https://security.alpinelinux.org/vuln/CVE-2021-43537

https://security.alpinelinux.org/vuln/CVE-2021-43538

https://security.alpinelinux.org/vuln/CVE-2021-43539

https://security.alpinelinux.org/vuln/CVE-2021-43541

https://security.alpinelinux.org/vuln/CVE-2021-43542

https://security.alpinelinux.org/vuln/CVE-2021-43543

https://security.alpinelinux.org/vuln/CVE-2021-43545

https://security.alpinelinux.org/vuln/CVE-2021-43546

Plugin Details

Severity: Critical

ID: 426814

Version: Revision 1.3

Type: Local

Published: 5/16/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-43539

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2021-4129

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 12/7/2021

Reference Information

CVE: CVE-2021-4129, CVE-2021-43528, CVE-2021-43536, CVE-2021-43537, CVE-2021-43538, CVE-2021-43539, CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, CVE-2021-43545, CVE-2021-43546

IAVA: 2021-A-0569-S