Alpine: multiple firefox-esr packages: security update to 102.3.0-r0

high Tenable Self-Hosted Container Security Plugin ID 404397

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Mozilla developers Nika Layzell, Timothy Nikkel, Sebastian Hengst, Andreas Pehrson, and the Mozilla
Fuzzing Team reported memory safety bugs present in Firefox 104 and Firefox ESR 102.2. Some of these bugs
showed evidence of memory corruption and we presume that with enough effort some of these could have been
exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and
Firefox < 105. (CVE-2022-40962)

- An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash.
This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. (CVE-2022-3266)

- When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the
injected element's base instead. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and
Firefox < 105. (CVE-2022-40956)

- Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially
exploitable crash.<br>*This bug only affects Firefox on ARM64 platforms.*. This vulnerability affects
Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. (CVE-2022-40957)

- By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a
secure context could set and thus overwrite cookies from a secure context, leading to session fixation and
other attacks. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.
(CVE-2022-40958)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-3266

https://security.alpinelinux.org/vuln/CVE-2022-40956

https://security.alpinelinux.org/vuln/CVE-2022-40957

https://security.alpinelinux.org/vuln/CVE-2022-40958

https://security.alpinelinux.org/vuln/CVE-2022-40959

https://security.alpinelinux.org/vuln/CVE-2022-40960

https://security.alpinelinux.org/vuln/CVE-2022-40962

Plugin Details

Severity: High

ID: 404397

Version: Revision 1.32

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-40962

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 9/20/2022

Reference Information

CVE: CVE-2022-3266, CVE-2022-40956, CVE-2022-40957, CVE-2022-40958, CVE-2022-40959, CVE-2022-40960, CVE-2022-40962