The versions of Firefox you have listed are Very old as Firefox 2.0.0.4 for example was released way back on May 30, 2007.

So why are you asking about 16+ year old versions of Firefox vulnerabilities?

https://www.mozilla.org/firefox/releases/

Vulnerabilities with (desktop) Firefox are listed at https://www.mozilla.org/security/known-vulnerabilities/

James,

On our network we perform weekly to bi-weekly updates of Firefox manually and the latest version we updated to last week was 113.0 and our Tenable scan popped with a bunch of vulnerabilities from this upgrade from 112.0 to 113.0.

So my goal is to resolve all of the vulnerabilities on our network. Look at the subject line as it list the PID associated with the problem... Vulnerabilities!

I have tried 114 and 115 and neither of them resolve the issue.

Yet the versions of Firefox you listed are from sixteen plus years ago and not recent. The solution stated if you have insert version or later then you are not vulnerable to that mentioned vulnerabilities.

The vulnerabilities fixed in Fx 114.0 are listed at https://www.mozilla.org/security/advisories/mfsa2023-20/

If Firefox 114.0 is found to have one or more security vulnerabilities then a 114.0.1 update will be released as that would be the patch. The minor updates are for security and or stability fixes.

The vulnerabilities fixed in earlier (desktop) Firefox releases are listed at https://www.mozilla.org/security/known-vulnerabilities/firefox/

If the Tenable scan pops up with Firefox vulnerabilities that was from 16+ years ago (and fixed since of course) then is it accurate?

Searching for 23930 Firefox gives this https://www.tenable.com/plugins/nessus/23930 which was published way back in 12/20/2006

Nicholas, WTF is up with that outburst?

I think the Nessus plugin works based on version number detection. That could be done from the Windows Registry or by extracting the Version from firefox.exe. If you do not have ancient versions on disk, then you should not be getting that old detection.

Could you submit a request to Tenable support to figure out why Firefox 113, 114, and 115 are being misread as versions earlier than 1.5.0.9? Or if the detection persists after you completely uninstall Firefox, figure out whether there is a rogue installation of an old version of Firefox in an unexpected location.

Could you submit a request to Tenable support to figure out why Firefox 113, 114, and 115 are being misread as versions earlier than 1.5.0.9? Or if the detection persists after you completely uninstall Firefox, figure out whether there is a rogue installation of an old version of Firefox in an unexpected location.

Good point as https://www.tenable.com/plugins/nessus/23930 mentions "Upgrade to Firefox 1.5.0.9 / 2.0.0.1" both of which were released same day December 19, 2006.

It could be detecting Firefox 15.0.8 is installed on system?. However since it was mentioned that this alert did not occur until after installing Fx 113.0 or later I wonder if it could somehow be a detection hiccup or false positive sort of thing.

We certainly know that a few certain antivirus scanners have given the occasional false positives after a new Firefox software update or install over the years only for the antvirus to quickly get corrected with a definitions update.

The word Tenable used to refer to a scanner or vulnerabilities (and not as meaning) has only had two other threads here so there is little past experience with it and Firefox on this forum to give an idea why it can pop up an alert on ancient Firefox versions. A search for Nessus only resulted in this and another thread so little help there.

hmm nothing in Bugzilla about the Tenable scanner and the five bugs that came up had longer words that had tenable as part of the word. A search for Nessus had zero results.

James,

Finally some feedback that doesn't seem like you are trolling me. Thank you!

And as to why I am searching for PIDs and vulnerabilities you say are years old does not concern you. But what I was doing for the team I'm on was going the extra mile for any answers possible without getting the feeling of someone trying to ridicule or belittle me for their own enjoyment when I needed some help. Just because you don't understand why doesn't give you the right to talk down to me or anybody else!

Nick

I found this bug report that looks similar to what you reported:

• 1837069 - FireFox KB is reporting version 113 and 114 in CPE as version 0.0.0 triggering vulnerabilities for FireFox <1.x

• https://bugzilla.mozilla.org/page.cgi?id=etiquette.html