Alpine: multiple firefox-esr packages: security update to 115.0-r0

high Tenable Self-Hosted Container Security Plugin ID 426444

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Memory safety bugs present in Firefox 114. Some of these bugs showed evidence of memory corruption and we
presume that with enough effort some of these could have been exploited to run arbitrary code. This
vulnerability affects Firefox < 115. (CVE-2023-37212)

- When Firefox is configured to block storage of all cookies, it was still possible to store data in
localstorage by using an iframe with a source of 'about:blank'. This could have led to malicious websites
storing tracking data without permission. This vulnerability affects Firefox < 115. (CVE-2023-3482)

- An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS.
This vulnerability affects Firefox < 115, Firefox ESR < 102.13, and Thunderbird < 102.13. (CVE-2023-37201)

- Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to
be stored in the main compartment resulting in a use-after-free. This vulnerability affects Firefox < 115,
Firefox ESR < 102.13, and Thunderbird < 102.13. (CVE-2023-37202)

- Insufficient validation in the Drag and Drop API in conjunction with social engineering, may have allowed
an attacker to trick end-users into creating a shortcut to local system files. This could have been
leveraged to execute arbitrary code. This vulnerability affects Firefox < 115. (CVE-2023-37203)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-3482

https://security.alpinelinux.org/vuln/CVE-2023-37201

https://security.alpinelinux.org/vuln/CVE-2023-37202

https://security.alpinelinux.org/vuln/CVE-2023-37203

https://security.alpinelinux.org/vuln/CVE-2023-37204

https://security.alpinelinux.org/vuln/CVE-2023-37205

https://security.alpinelinux.org/vuln/CVE-2023-37206

https://security.alpinelinux.org/vuln/CVE-2023-37207

https://security.alpinelinux.org/vuln/CVE-2023-37208

https://security.alpinelinux.org/vuln/CVE-2023-37209

https://security.alpinelinux.org/vuln/CVE-2023-37210

https://security.alpinelinux.org/vuln/CVE-2023-37211

https://security.alpinelinux.org/vuln/CVE-2023-37212

Plugin Details

Severity: High

ID: 426444

Version: Revision 1.3

Type: Local

Published: 5/16/2025

Updated: 12/11/2025

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-37212

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 7/4/2023

Reference Information

CVE: CVE-2023-3482, CVE-2023-37201, CVE-2023-37202, CVE-2023-37203, CVE-2023-37204, CVE-2023-37205, CVE-2023-37206, CVE-2023-37207, CVE-2023-37208, CVE-2023-37209, CVE-2023-37210, CVE-2023-37211, CVE-2023-37212