Alpine: multiple git packages, multiple perl-git packages: security update to 2.26.1-r0

high Tenable Self-Hosted Container Security Plugin ID 423898

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials
to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve
passwords or other credentials from secure storage provided by the operating system. Specially-crafted
URLs that contain an encoded newline can inject unintended values into the credential helper protocol
stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for
an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the
former being sent to the latter. There are no restrictions on the relationship between the two, meaning
that an attacker can craft a URL that will present stored credentials for any host to a host of their
choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the
affected URLs look rather suspicious; the likely vector would be through systems which automatically clone
URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has
been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to
backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks
for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched
versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.
(CVE-2020-5260)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-5260

Plugin Details

Severity: High

ID: 423898

Version: Revision 1.8

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.39

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2020-5260

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/13/2020

Reference Information

CVE: CVE-2020-5260