Alpine: multiple firefox packages: security update to 87.0-r0

high Tenable Self-Hosted Container Security Plugin ID 404379

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Mozilla developers reported memory safety bugs present in Firefox 86. Some of these bugs showed evidence
of memory corruption and we presume that with enough effort some of these could have been exploited to run
arbitrary code. This vulnerability affects Firefox < 87. (CVE-2021-23988)

- If Content Security Policy blocked frame navigation, the full destination of a redirect served in the
frame was reported in the violation report; as opposed to the original frame URI. This could be used to
leak sensitive information contained in such URIs. This vulnerability affects Firefox < 86, Thunderbird <
78.8, and Firefox ESR < 78.8. (CVE-2021-23968)

- As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need
to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible,
user agents need to strip the URL down to an origin to avoid unintentional leakage." Under certain types
of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was
fixed to be the redirect destination's origin. This vulnerability affects Firefox < 86, Thunderbird <
78.8, and Firefox ESR < 78.8. (CVE-2021-23969)

- Context-specific code was included in a shared jump table; resulting in assertions being triggered in
multithreaded wasm code. This vulnerability affects Firefox < 86. (CVE-2021-23970)

- When processing a redirect with a conflicting Referrer-Policy, Firefox would have adopted the redirect's
Referrer-Policy. This would have potentially resulted in more information than intended by the original
origin being provided to the destination of the redirect. This vulnerability affects Firefox < 86.
(CVE-2021-23971)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-23968

https://security.alpinelinux.org/vuln/CVE-2021-23969

https://security.alpinelinux.org/vuln/CVE-2021-23970

https://security.alpinelinux.org/vuln/CVE-2021-23971

https://security.alpinelinux.org/vuln/CVE-2021-23972

https://security.alpinelinux.org/vuln/CVE-2021-23973

https://security.alpinelinux.org/vuln/CVE-2021-23974

https://security.alpinelinux.org/vuln/CVE-2021-23975

https://security.alpinelinux.org/vuln/CVE-2021-23976

https://security.alpinelinux.org/vuln/CVE-2021-23977

https://security.alpinelinux.org/vuln/CVE-2021-23978

https://security.alpinelinux.org/vuln/CVE-2021-23979

https://security.alpinelinux.org/vuln/CVE-2021-23981

https://security.alpinelinux.org/vuln/CVE-2021-23982

https://security.alpinelinux.org/vuln/CVE-2021-23983

https://security.alpinelinux.org/vuln/CVE-2021-23984

https://security.alpinelinux.org/vuln/CVE-2021-23985

https://security.alpinelinux.org/vuln/CVE-2021-23986

https://security.alpinelinux.org/vuln/CVE-2021-23987

https://security.alpinelinux.org/vuln/CVE-2021-23988

Plugin Details

Severity: High

ID: 404379

Version: Revision 1.26

Type: Local

Published: 10/31/2023

Updated: 12/4/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-23988

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/23/2021

Reference Information

CVE: CVE-2021-23968, CVE-2021-23969, CVE-2021-23970, CVE-2021-23971, CVE-2021-23972, CVE-2021-23973, CVE-2021-23974, CVE-2021-23975, CVE-2021-23976, CVE-2021-23977, CVE-2021-23978, CVE-2021-23979, CVE-2021-23981, CVE-2021-23982, CVE-2021-23983, CVE-2021-23984, CVE-2021-23985, CVE-2021-23986, CVE-2021-23987, CVE-2021-23988

IAVA: 2021-A-0107-S, 2021-A-0144-S