Alpine: git: security update to 2.40.4-r0

low Tenable Self-Hosted Container Security Plugin ID 408585

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Git is a fast, scalable, distributed revision control system with an unusually rich command set that
provides both high-level operations and full access to internals. When Git asks for credentials via a
terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user
is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been
decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escape
sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git
hosting sites when in fact they are then sent to untrusted sites that are under the attacker's control.
This issue has been patch via commits `7725b81` and `c903985` which are included in release versions
v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to
upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.
(CVE-2024-50349)

- Git is a fast, scalable, distributed revision control system with an unusually rich command set that
provides both high-level operations and full access to internals. Git defines a line-based protocol that
is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably,
.NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections
against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This
issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2,
v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users
unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones. (CVE-2024-52006)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-50349

https://security.alpinelinux.org/vuln/CVE-2024-52006

Plugin Details

Severity: Low

ID: 408585

Version: Revision 1.15

Type: Local

Published: 1/15/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.68

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2024-52006

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Low

Base Score: 2.1

Threat Score: 0.5

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 1/14/2025

Reference Information

CVE: CVE-2024-50349, CVE-2024-52006