Alibaba Cloud Linux 3 : 0180: git-lfs (ALINUX3-SA-2022:0180)

🗓️ 14 May 2025 00:00:00Reported by TenableType

Alibaba Cloud Linux 3 has vulnerabilities fixed by updates for several software packages.

Reporter	Title	Published	Views	Family All 1245
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in Go may affect IBM CICS TX Standard	24 Feb 202310:43	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM API Connect	15 Mar 202500:18	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak System is vulnerable to multiple vulnerabilities in Golang Go	31 Mar 202314:14	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Storage Fusion HCI may be vulnerable to Denial of Service via use of openshift/machine-api-operator, openshift/machine-config-operator (CVE-2020-28851, CVE-2020-28852, CVE-2021-44716)	21 Dec 202317:23	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Data is vulnerable to a variety of issues due to 3rd party software	27 Sep 202417:52	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Cloud Pak for Multicloud Management	28 Feb 202421:30	–	ibm
IBM Security Bulletins	Security Bulletin: CVE-2022-27664, CVE-2022-21698, CVE-2021-43565 and CVE-2022-27191 may affect IBM CICS TX Standard	29 Mar 202319:03	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities have been found in Golang Go which is shipped with Cloud Pak System	6 May 202219:21	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in Golang Go affects IBM Event Streams (CVE-2022-27664)	5 Dec 202216:43	–	ibm
IBM Security Bulletins	Security Bulletin: Astronomer with IBM is vulnerable to several vulnerabilities	11 Aug 202513:46	–	ibm

Source	Link
mirrors	www.mirrors.aliyun.com/alinux/3/cve/alinux3-sa-20220180.xml
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Alibaba Cloud Linux Security Advisory ALINUX3-SA-2022:0180.
##

include('compat.inc');

if (description)
{
  script_id(236486);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/05/14");

  script_cve_id(
    "CVE-2020-28851",
    "CVE-2020-28852",
    "CVE-2022-1705",
    "CVE-2022-27664",
    "CVE-2022-30630",
    "CVE-2022-30632",
    "CVE-2022-30635",
    "CVE-2022-32148",
    "CVE-2022-32189"
  );

  script_name(english:"Alibaba Cloud Linux 3 : 0180: git-lfs (ALINUX3-SA-2022:0180)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Alibaba Cloud Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced
in the ALINUX3-SA-2022:0180 advisory.

    Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

    CVE-2020-28851:
    In x/text in Go 1.15.4, an index out of range panic occurs in language.ParseAcceptLanguage while parsing
    the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

    CVE-2020-28852:
    In x/text in Go before v0.3.5, a slice bounds out of range panic occurs in language.ParseAcceptLanguage
    while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language
    header.)

    CVE-2022-1705:
    Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12
    and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly
    fails to reject the header as invalid.

    CVE-2022-27664:
    In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because
    an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

    CVE-2022-30630:
    Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a
    panic due to stack exhaustion via a path which contains a large number of path separators.

    CVE-2022-30632:
    Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to
    cause a panic due to stack exhaustion via a path containing a large number of path separators.

    CVE-2022-30635:
    Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an
    attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.

    CVE-2022-32148:
    Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by
    calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the
    X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For
    header.

    CVE-2022-32189:
    A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go
    before 1.17.13 and 1.18.5, potentially allowing a denial of service.

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"http://mirrors.aliyun.com/alinux/3/cve/alinux3-sa-20220180.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-28852");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-32148");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/12/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/11/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/05/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:git-lfs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:git-lfs-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:git-lfs-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:git-lfs-doc");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alibabacloud:alibaba_cloud_linux_3");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Alibaba Cloud Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Alibaba/release", "Host/Alibaba/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Alibaba/release');
if (isnull(os_release) || 'Alibaba Cloud Linux' >!< os_release) audit(AUDIT_OS_NOT, 'Alibaba Cloud Linux');
var os_ver = pregmatch(pattern: "Alibaba Cloud Linux release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Alibaba Cloud Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Alibaba Cloud Linux 3.x', 'Alibaba Cloud Linux ' + os_ver);

if (!get_kb_item('Host/Alibaba/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Alibaba Cloud Linux', cpu);

var pkgs = [
    {'reference':'git-lfs-2.13.3-3.0.1.al8', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
    {'reference':'git-lfs-2.13.3-3.0.1.al8', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
    {'reference':'git-lfs-debuginfo-2.13.3-3.0.1.al8', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
    {'reference':'git-lfs-debuginfo-2.13.3-3.0.1.al8', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
    {'reference':'git-lfs-debugsource-2.13.3-3.0.1.al8', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
    {'reference':'git-lfs-debugsource-2.13.3-3.0.1.al8', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
    {'reference':'git-lfs-doc-2.13.3-3.0.1.al8', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = 'Alibaba Linux ' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'git-lfs / git-lfs-debuginfo / git-lfs-debugsource / git-lfs-doc');
}

14 May 2025 00:00Current

7High risk

Vulners AI Score7

CVSS 25

CVSS 3.17.5

EPSS0.02403

SSVC