8 matches found
GO-2025-3815 melange's world-writable permissions expose SBOM files to potential image tampering in chainguard.dev/melange
melange's world-writable permissions expose SBOM files to potential image tampering in chainguard.dev/melange...
Improper File Permissions
chainguard.dev/melange is vulnerable to improper file permissions. The vulnerability is due to SBOM files in APKs being generated with file system permissions mode 666, which allows an attacker to tamper with the SBOMs...
SUSE CVE-2025-54059
melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image,...
CVE-2025-54059 melange creates SBOM files in APKs with world-writable permissions
melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image,...
CVE-2025-54059
Summary of CVE-2025-54059 (melange) The vulnerability concerns melange creating SBOM files inside APKs with world-writable permissions (mode 666) during build pipelines. It affects versions from 0.23.0 up to, but not including, 0.29.5. This state could allow an unprivileged user to tamper with SB...
CVE-2025-54059 melange creates SBOM files in APKs with world-writable permissions
melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image,...
CVE-2025-54059 melange creates SBOM files in APKs with world-writable permissions
melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image,...
melange's world-writable permissions expose SBOM files to potential image tampering
It was discovered that the SBOM files generated by melange in apks had file system permissions mode 666: $ apkrane ls https://packages.wolfi.dev/os/x8664/APKINDEX.tar.gz -P hello-wolfi --full --latest | xargs wget -q -O - | tar tzv 2/dev/null var/lib/db/sbom drwxr-xr-x root/root 0 2025-06-23 14:1...