Alpine: git: security update to 2.49.1-r0

high Tenable Cloud Security Plugin ID 428325

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Git is a fast, scalable, distributed revision control system with an unusually rich command set that
provides both high-level operations and full access to internals. When reading a config value, Git strips
any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR
are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if
the submodule path contains a trailing CR, the altered path is read resulting in the submodule being
checked out to an incorrect location. If a symlink exists that points the altered path to the submodule
hooks directory, and the submodule contains an executable post-checkout hook, the script may be
unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4,
v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1. (CVE-2025-48384)

- Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted
repository and runs gitk without additional command arguments, files for which the user has write
permission can be created and truncated. The option Support per-file encoding must have been enabled
before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of
this line is used in the main window (regardless of whether Support per-file encoding is enabled or not).
This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
(CVE-2025-27613)

- Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such
a way that with some social engineering a user who has cloned the repository can be tricked into running
any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename,
where filename has a particular structure. The script is run with the privileges of the user. This
vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.
(CVE-2025-27614)

- Git GUI allows you to use the Git source control management tools via a GUI. A malicious repository can
ship versions of sh.exe or typical textconv filter programs such as astextplain. Due to the unfortunate
design of Tcl on Windows, the search path when looking for an executable always includes the current
directory. The mentioned programs are invoked when the user selects Git Bash or Browse Files from the
menu. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
(CVE-2025-46334)

- Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an
untrusted repository and is tricked into editing a file located in a maliciously named directory in the
repository, then Git GUI can create and overwrite files for which the user has write permission. This
vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
(CVE-2025-46835)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-27613

https://security.alpinelinux.org/vuln/CVE-2025-27614

https://security.alpinelinux.org/vuln/CVE-2025-46334

https://security.alpinelinux.org/vuln/CVE-2025-46835

https://security.alpinelinux.org/vuln/CVE-2025-48384

https://security.alpinelinux.org/vuln/CVE-2025-48385

https://security.alpinelinux.org/vuln/CVE-2025-48386

Plugin Details

Severity: High

ID: 428325

Version: Revision 1.22

Type: Local

Published: 7/9/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 8

Percentile: 99.68

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-48384

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2025-46334

CVSS v4

Risk Factor: High

Base Score: 8.6

Threat Score: 8.6

Threat Vector: CVSS:4.0/E:A

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2025-48385

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 7/8/2025

Reference Information

CVE: CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, CVE-2025-48386