Alpine: multiple firefox packages: security update to 97.0-r0

critical Tenable Self-Hosted Container Security Plugin ID 404388

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Mozilla developers Paul Adenot and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox
96 and Firefox ESR 91.5. Some of these bugs showed evidence of memory corruption and we presume that with
enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects
Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. (CVE-2022-22764)

- It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox. This
vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. (CVE-2021-4140)

- Mozilla developers and community members Gabriele Svelto, Sebastian Hengst, Randell Jesup, Luan Herrera,
Lars T Hansen, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96. Some of
these bugs showed evidence of memory corruption and we presume that with enough effort some of these could
have been exploited to run arbitrary code. This vulnerability affects Firefox < 97. (CVE-2022-0511)

- If Firefox was installed to a world-writable directory, a local privilege escalation could occur when
Firefox searched the current directory for system libraries. However the install directory is not world-
writable by default.<br>*This bug only affects Firefox for Windows in a non-default installation. Other
operating systems are unaffected.*. This vulnerability affects Firefox < 96. (CVE-2022-22736)

- Constructing audio sinks could have lead to a race condition when playing audio files and closing windows.
This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability
affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. (CVE-2022-22737)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-4140

https://security.alpinelinux.org/vuln/CVE-2022-0511

https://security.alpinelinux.org/vuln/CVE-2022-22736

https://security.alpinelinux.org/vuln/CVE-2022-22737

https://security.alpinelinux.org/vuln/CVE-2022-22738

https://security.alpinelinux.org/vuln/CVE-2022-22739

https://security.alpinelinux.org/vuln/CVE-2022-22740

https://security.alpinelinux.org/vuln/CVE-2022-22741

https://security.alpinelinux.org/vuln/CVE-2022-22742

https://security.alpinelinux.org/vuln/CVE-2022-22743

https://security.alpinelinux.org/vuln/CVE-2022-22744

https://security.alpinelinux.org/vuln/CVE-2022-22745

https://security.alpinelinux.org/vuln/CVE-2022-22746

https://security.alpinelinux.org/vuln/CVE-2022-22747

https://security.alpinelinux.org/vuln/CVE-2022-22748

https://security.alpinelinux.org/vuln/CVE-2022-22749

https://security.alpinelinux.org/vuln/CVE-2022-22750

https://security.alpinelinux.org/vuln/CVE-2022-22751

https://security.alpinelinux.org/vuln/CVE-2022-22752

https://security.alpinelinux.org/vuln/CVE-2022-22753

https://security.alpinelinux.org/vuln/CVE-2022-22754

https://security.alpinelinux.org/vuln/CVE-2022-22755

https://security.alpinelinux.org/vuln/CVE-2022-22756

https://security.alpinelinux.org/vuln/CVE-2022-22757

https://security.alpinelinux.org/vuln/CVE-2022-22758

https://security.alpinelinux.org/vuln/CVE-2022-22759

https://security.alpinelinux.org/vuln/CVE-2022-22760

https://security.alpinelinux.org/vuln/CVE-2022-22761

https://security.alpinelinux.org/vuln/CVE-2022-22762

https://security.alpinelinux.org/vuln/CVE-2022-22764

Plugin Details

Severity: Critical

ID: 404388

Version: Revision 1.41

Type: Local

Published: 10/31/2023

Updated: 6/1/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.09

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-22764

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2021-4140

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 1/11/2022

Reference Information

CVE: CVE-2021-4140, CVE-2022-0511, CVE-2022-22736, CVE-2022-22737, CVE-2022-22738, CVE-2022-22739, CVE-2022-22740, CVE-2022-22741, CVE-2022-22742, CVE-2022-22743, CVE-2022-22744, CVE-2022-22745, CVE-2022-22746, CVE-2022-22747, CVE-2022-22748, CVE-2022-22749, CVE-2022-22750, CVE-2022-22751, CVE-2022-22752, CVE-2022-22753, CVE-2022-22754, CVE-2022-22755, CVE-2022-22756, CVE-2022-22757, CVE-2022-22758, CVE-2022-22759, CVE-2022-22760, CVE-2022-22761, CVE-2022-22762, CVE-2022-22764

IAVA: 2022-A-0017-S, 2022-A-0079-S