Alpine: openfire: security update to 4.7.5-r0

high Tenable Self-Hosted Container Security Plugin ID 426417

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative
console, a web-based application, was found to be vulnerable to a path traversal attack via the setup
environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment
in an already configured Openfire environment to access restricted pages in the Openfire Admin Console
reserved for administrative users. This vulnerability affects all versions of Openfire that have been
released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release
4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the
4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade
isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github
advisory (GHSA-gw42-f939-fhvm) for mitigation advice. (CVE-2023-32315)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-32315

Plugin Details

Severity: High

ID: 426417

Version: Revision 1.4

Type: Local

Published: 5/16/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.47

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2023-32315

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 7.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 5/23/2023

CISA Known Exploited Vulnerability Due Dates: 9/14/2023

Exploitable With

Metasploit (Openfire authentication bypass with RCE plugin)

Reference Information

CVE: CVE-2023-32315

IAVB: 2023-B-0043