apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NChainguard Apko
APPChainguard0.14.8 – 1.1.1 (bez)
Powiązane podatności
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to be...
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to be...
kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. Starti...
melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an...
melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, a...