Alpine: git: security update to 2.34.2-r0

high Tenable Cloud Security Plugin ID 404640

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users
working on multi-user machines, where untrusted parties have write access to the same hard disk. Those
untrusted parties could create the folder `C:\.git`, which would be picked up by Git operations run
supposedly outside a repository while searching for a Git directory. Git would then respect any config in
said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who
installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are
vulnerable: simply creating a new project would already read and respect the config specified in
`C:\.git\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The
problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git`
on all drives where Git commands are run, and remove read/write access from those folders as a workaround.
Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user
profile, e.g. `C:\Users` if the user profile is located in `C:\Users\my-user-name`. (CVE-2022-24765)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-24765

Plugin Details

Severity: High

ID: 404640

Version: Revision 1.28

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.07

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.1

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-24765

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 4/12/2022

Reference Information

CVE: CVE-2022-24765