Alpine: multiple firefox-esr packages: security update to 115.1.0-r0

critical Tenable Self-Hosted Container Security Plugin ID 404406

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Memory safety bugs present in Firefox 115, Firefox ESR 115.0, and Thunderbird 115.0. Some of these bugs
showed evidence of memory corruption and we presume that with enough effort some of these could have been
exploited to run arbitrary code. This vulnerability affects Firefox < 116, Firefox ESR < 115.1, and
Thunderbird < 115.1. (CVE-2023-4057)

- Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image
data from another site in violation of same-origin policy. This vulnerability affects Firefox < 116,
Firefox ESR < 102.14, and Firefox ESR < 115.1. (CVE-2023-4045)

- In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This
resulted in incorrect compilation and a potentially exploitable crash in the content process. This
vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1. (CVE-2023-4046)

- A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user
into granting permissions. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR
< 115.1. (CVE-2023-4047)

- An out-of-bounds read could have led to an exploitable crash when parsing HTML with DOMParser in low
memory situations. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR <
115.1. (CVE-2023-4048)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-4045

https://security.alpinelinux.org/vuln/CVE-2023-4046

https://security.alpinelinux.org/vuln/CVE-2023-4047

https://security.alpinelinux.org/vuln/CVE-2023-4048

https://security.alpinelinux.org/vuln/CVE-2023-4049

https://security.alpinelinux.org/vuln/CVE-2023-4050

https://security.alpinelinux.org/vuln/CVE-2023-4052

https://security.alpinelinux.org/vuln/CVE-2023-4054

https://security.alpinelinux.org/vuln/CVE-2023-4055

https://security.alpinelinux.org/vuln/CVE-2023-4056

https://security.alpinelinux.org/vuln/CVE-2023-4057

Plugin Details

Severity: Critical

ID: 404406

Version: Revision 1.32

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-4057

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 8/1/2023

Reference Information

CVE: CVE-2023-4045, CVE-2023-4046, CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4050, CVE-2023-4052, CVE-2023-4054, CVE-2023-4055, CVE-2023-4056, CVE-2023-4057