19 matches found
CVE-2026-42574 apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same o...
CVE-2026-42574 apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same o...
CVE-2026-42574
The CVE-2026-42574 issue affects apko dirFS used to build/publish OCI images. A crafted APK could place a TypeSymlink tar entry whose target points outside the build root, enabling traversal to host paths via subsequent directory creation or write operations within the same or later archive. Root...
GHSA-QQ3R-W4HJ-GJP6 apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root
Impact A crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. The root cause was the...
apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root
Impact A crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. The root cause was the...
Symlink Attack
Overview Affected versions of this package are vulnerable to Symlink Attack through the DirFS process. An attacker can gain unauthorized access to files outside the intended build root by crafting a malicious archive containing a symlink entry that points outside the build root, followed by...
Symlink Attack
Overview Affected versions of this package are vulnerable to Symlink Attack through the DirFS process. An attacker can gain unauthorized access to files outside the intended build root by crafting a malicious archive containing a symlink entry that points outside the build root, followed by...
apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root
A crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. The root cause was the sanitizePath...
CVE-2026-25121
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package e.g., via a compromised or typosquatte...
CVE-2026-25121
The CVE-2026-25121 entry concerns a path traversal in apko’s dirFS (package apko) where MkdirAll, Mkdir, and Symlink in rwosfs.go use filepath.Join() without validating the path against the base directory. A malicious APK package (e.g., from a compromised or typosquatted repo) could cause writes ...
CVE-2026-25121 apko is vulnerable to path traversal in apko dirFS which allows filesystem writes outside base
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package e.g., via a compromised or typosquatte...
EUVD-2026-5380
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package e.g., via a compromised or typosquatte...
CVE-2026-25121 apko is vulnerable to path traversal in apko dirFS which allows filesystem writes outside base
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package e.g., via a compromised or typosquatte...
CVE-2026-25121 apko is vulnerable to path traversal in apko dirFS which allows filesystem writes outside base
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package e.g., via a compromised or typosquatte...
CVE-2026-25121
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package e.g., via a compromised or typosquatte...
GHSA-5G94-C2WX-8PXW apko has a path traversal in apko dirFS which allows filesystem writes outside base
A Path Traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package e.g., via a compromised or typosquatted repository could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink...
PT-2026-6267
Name of the Vulnerable Software and Affected Versions apko versions 0.14.8 through 1.1.0 Description apko is a tool that enables users to build and publish OCI container images from apk packages. A path traversal issue exists in apko’s dirFS filesystem abstraction between versions 0.14.8 and 1.1....
DEBIAN-CVE-2022-41720
On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS"C:/tmp".Open"COM1" opens the...
Directory Traversal
Overview std/net/http is a Go standard library package std/net/http Affected versions of this package are vulnerable to Directory Traversal. Go Vulnerability Report: On Windows, restricted files can be accessed via os.DirFS and http.Dir.The os.DirFS function and http.Dir type provide access to a...