MEDIUM🇬🇧 English

CVE-2026-24846

CVSS 5.5v3.1pub. 2026-01-29upd. 2026-02-24

malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. Version 1.20.3 introduces fixes that swap handleSymlink arguments, validate symlink location, and validate symlink targets that resolve within an extraction directory.

oryginał EN
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  • Chainguard Malcontent

    APP
    Chainguard
    1.8.0 – 1.20.3 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Path Traversal
CWE
Referencje

Powiązane podatności

CVE-2026-28407MEDIUM6.9ten sam produkt

malcontent is software for discovering supply-chain compromises through context, differential analysis, and YA...

CVE-2026-24845MEDIUM6.5ten sam produkt

malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in v...

CVE-2026-28406HIGH8.2ten sam vendor

kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. Starti...

CVE-2026-25121HIGH7.5ten sam vendor

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to be...

CVE-2026-24844HIGH7.9ten sam vendor

melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, a...