Alpine: multiple libgit2 packages: security update to 1.4.4-r0

high Tenable Cloud Security Plugin ID 405196

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users
working on multi-user machines, where untrusted parties have write access to the same hard disk. Those
untrusted parties could create the folder `C:\.git`, which would be picked up by Git operations run
supposedly outside a repository while searching for a Git directory. Git would then respect any config in
said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who
installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are
vulnerable: simply creating a new project would already read and respect the config specified in
`C:\.git\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The
problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git`
on all drives where Git commands are run, and remove read/write access from those folders as a workaround.
Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user
profile, e.g. `C:\Users` if the user profile is located in `C:\Users\my-user-name`. (CVE-2022-24765)

- Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4,
2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An
unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when
navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a
git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a
patch for this issue. The simplest way to avoid being affected by the exploit described in the example is
to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a
minimum. While a generic workaround is not possible, a system could be hardened from the exploit described
in the example by removing any such repository if it exists already and creating one as root to block any
future attacks. (CVE-2022-29187)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-24765

https://security.alpinelinux.org/vuln/CVE-2022-29187

Plugin Details

Severity: High

ID: 405196

Version: Revision 1.32

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.07

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.1

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-29187

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 4/12/2022

Reference Information

CVE: CVE-2022-24765, CVE-2022-29187