Alpine: multiple firefox-esr packages: security update to 91.9.0-r0

critical Tenable Self-Hosted Container Security Plugin ID 404464

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported
memory safety bugs present in Firefox 99 and Firefox ESR 91.8. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort some of these could have been exploited to run
arbitrary code. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.
(CVE-2022-29917)

- Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the
top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. This
vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. (CVE-2022-29909)

- An improper implementation of the new iframe sandbox keyword <code>allow-top-navigation-by-user-
activation</code> could lead to script execution without <code>allow-scripts</code> being present. This
vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. (CVE-2022-29911)

- Requests initiated through reader mode did not properly omit cookies with a SameSite attribute. This
vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. (CVE-2022-29912)

- When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI,
which could have enabled browser spoofing attacks. This vulnerability affects Thunderbird < 91.9, Firefox
ESR < 91.9, and Firefox < 100. (CVE-2022-29914)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-29909

https://security.alpinelinux.org/vuln/CVE-2022-29911

https://security.alpinelinux.org/vuln/CVE-2022-29912

https://security.alpinelinux.org/vuln/CVE-2022-29914

https://security.alpinelinux.org/vuln/CVE-2022-29916

https://security.alpinelinux.org/vuln/CVE-2022-29917

Plugin Details

Severity: Critical

ID: 404464

Version: Revision 1.29

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-29917

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 5/3/2022

Reference Information

CVE: CVE-2022-29909, CVE-2022-29911, CVE-2022-29912, CVE-2022-29914, CVE-2022-29916, CVE-2022-29917