Lucene search
K

110 matches found

Snyk
Snyk
added 2026/05/04 9:26 p.m.5 views

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack through the DirFS process. An attacker can gain unauthorized access to files outside the intended build root by crafting a malicious archive containing a symlink entry that points outside the build root, followed by...

8.7CVSS5.8AI score0.00352EPSS
Exploits0References3
OSV
OSV
added 2026/05/04 9:26 p.m.7 views

GHSA-QQ3R-W4HJ-GJP6 apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root

Impact A crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. The root cause was the...

7.5CVSS5.8AI score0.00352EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/05/04 9:26 p.m.18 views

apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root

Impact A crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. The root cause was the...

7.5CVSS7.2AI score0.00352EPSS
Exploits0References6Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/04 12:0 a.m.12 views

PT-2026-36990

Name of the Vulnerable Software and Affected Versions apko affected versions not specified Description apko verifies the signature on 'APKINDEX.tar.gz' but fails to compare individually downloaded '.apk' packages against the checksum recorded in the signed index. Although the checksum is parsed v...

7.5CVSS5.9AI score0.00159EPSS
Exploits0References12
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/04 12:0 a.m.28 views

apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)

apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString, and the downloaded package control hash is computed, but the two values are never...

7.5CVSS5.9AI score0.00159EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/04 12:0 a.m.11 views

PT-2026-37052

Name of the Vulnerable Software and Affected Versions apko versions 0.14.8 through 1.2.4 Description A crafted .apk file can install a TypeSymlink tar entry with a target pointing outside the build root. Subsequent directory-creation or file-write entries in the same or later archive can traverse...

7.5CVSS5.8AI score0.00352EPSS
Exploits0References11
Wolfi
Wolfi
added 2026/04/11 2:51 a.m.8 views

GHSA-FV83-X2XW-2J55 vulnerabilities

Vulnerabilities for packages: polaris, go, flux, dbmate, metacontroller, flux-helm-controller, apko, nova, flux-operator, smokescreen, osv-scanner, stakater-reloader, flux-image-reflector-controller, aws-network-policy-agent, mariadb-operator, dkron, ingress-nginx-controller,...

5.9AI score
Exploits0
Chainguard
Chainguard
added 2026/03/31 7:55 a.m.7 views

CVE-2026-34165 vulnerabilities

Vulnerabilities for packages: gitea, argo-cd-fips, snyk-cli, nemo, kyverno-fips, crossplane-fips, gitlab-runner-fips, kargo, melange, kubescape, apko-fips, wolfictl, kubescape-server-fips, flux-source-controller, packer, pulumi-language-java, argo-events-fips, gomplate,...

5CVSS5.9AI score0.00147EPSS
Exploits0
Chainguard
Chainguard
added 2026/03/31 7:55 a.m.24 views

CVE-2026-33762 vulnerabilities

Vulnerabilities for packages: gitea, argo-cd-fips, snyk-cli, nemo, kyverno-fips, crossplane-fips, gitlab-runner-fips, kargo, melange, kubescape, apko-fips, wolfictl, kubescape-server-fips, flux-source-controller, packer, pulumi-language-java, argo-events-fips, gomplate,...

2.8CVSS5.9AI score0.00153EPSS
Exploits0
Chainguard
Chainguard
added 2026/03/31 7:55 a.m.6 views

GHSA-GM2X-2G9H-CCM8 vulnerabilities

Vulnerabilities for packages: gitea, argo-cd-fips, snyk-cli, nemo, kyverno-fips, crossplane-fips, gitlab-runner-fips, kargo, melange, kubescape, apko-fips, wolfictl, kubescape-server-fips, flux-source-controller, packer, pulumi-language-java, argo-events-fips, gomplate,...

5.9AI score
Exploits0
Wolfi
Wolfi
added 2026/03/31 7:48 a.m.10 views

GHSA-JHF3-XXHW-2WPP vulnerabilities

Vulnerabilities for packages: cerbos, gitaly, witness, argo-cd, flux, crossplane, dagger, gitea, apko, scorecard, grafana-alloy, osv-scanner, argo-events, argo-workflows, k9s, pulumi-kubernetes-operator, kubevela, pulumi-language-dotnet, zarf, grafana, pulumi-language-java, tfsec, pulumi, melange...

5.9AI score
Exploits0
Wolfi
Wolfi
added 2026/03/31 7:48 a.m.11 views

GHSA-GM2X-2G9H-CCM8 vulnerabilities

Vulnerabilities for packages: cerbos, gitaly, witness, argo-cd, flux, crossplane, dagger, gitea, apko, scorecard, grafana-alloy, osv-scanner, argo-events, argo-workflows, k9s, pulumi-kubernetes-operator, kubevela, pulumi-language-dotnet, zarf, grafana, pulumi-language-java, tfsec, pulumi, melange...

5.9AI score
Exploits0
Wolfi
Wolfi
added 2026/03/31 7:48 a.m.12 views

CVE-2026-34165 vulnerabilities

Vulnerabilities for packages: cerbos, gitaly, witness, argo-cd, flux, crossplane, dagger, gitea, apko, scorecard, grafana-alloy, osv-scanner, argo-events, argo-workflows, k9s, pulumi-kubernetes-operator, kubevela, pulumi-language-dotnet, zarf, grafana, pulumi-language-java, tfsec, pulumi, melange...

5CVSS5.9AI score0.00147EPSS
Exploits0
SUSE CVE
SUSE CVE
added 2026/03/04 12:27 a.m.4 views

SUSE CVE-2026-25140

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in...

7.5CVSS5.7AI score0.00366EPSS
Exploits0References3
Chainguard
Chainguard
added 2026/03/03 7:17 a.m.6 views

GHSA-8FJ7-8H3W-XWFM vulnerabilities

Vulnerabilities for packages: splunk-otel-collector, buildkite-agent-fips, terraform-provider-acme, cluster-api-azure-controller, apache-beam-python-3.13-sdk, apm-server, nemo, apache-beam-python-3.11-sdk, kube-rbac-proxy, flux-source-watcher-fips, crossplane-provider-aws-memorydb,...

5.9AI score
Exploits0
Wolfi
Wolfi
added 2026/02/26 7:48 p.m.9 views

CVE-2026-1229 vulnerabilities

Vulnerabilities for packages: witness, apko, scorecard, osv-scanner, crossplane-provider-aws-ec2, terraform-provider-azuread, crossplane-provider-aws-cloudwatchlogs, pulumi-kubernetes-operator, crossplane-provider-aws-cloudfront, terraform-provider-azurerm, buildkitd, grafana, helm-push, tfsec,...

9.8CVSS6.7AI score0.00397EPSS
Exploits0
Wolfi
Wolfi
added 2026/02/26 7:48 p.m.9 views

GHSA-Q9HV-HPM4-HJ6X vulnerabilities

Vulnerabilities for packages: witness, apko, scorecard, osv-scanner, crossplane-provider-aws-ec2, terraform-provider-azuread, crossplane-provider-aws-cloudwatchlogs, pulumi-kubernetes-operator, crossplane-provider-aws-cloudfront, terraform-provider-azurerm, buildkitd, grafana, helm-push, tfsec,...

5.9AI score
Exploits0
Chainguard
Chainguard
added 2026/02/26 7:17 p.m.9 views

CVE-2026-1229 vulnerabilities

Vulnerabilities for packages: gitea, argo-cd-fips, snyk-cli, kyverno-fips, crossplane-fips, lazygit, crossplane-provider-aws-memorydb, gitlab-runner-fips, melange, crossplane-provider-aws-efs-fips, crossplane-provider-azure-managedidentity, kubescape, omni, tekton-pipelines, apko-fips,...

9.8CVSS6.7AI score0.00397EPSS
Exploits0
OSV
OSV
added 2026/02/26 4:27 p.m.6 views

GO-2026-4410 apko affected by potential unbounded resource consumption in expandapk.ExpandApk on attacker-controlled .apk streams in chainguard.dev/apko

apko affected by potential unbounded resource consumption in expandapk.ExpandApk on attacker-controlled .apk streams in chainguard.dev/apko...

7.5CVSS5.4AI score0.00366EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/02/07 12:24 a.m.4 views

SUSE CVE-2026-25121

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package e.g., via a compromised or typosquatte...

7.5CVSS5.3AI score0.00369EPSS
Exploits0References3
Rows per page
Query Builder