Description
apko allows users to build and publish OCI container images built from apk packages. Starting in version 0.27.0 and prior to version 0.29.5, critical files were inadvertently set to 0666, which could likely be abused for root escalation. Version 0.29.5 contains a fix for the issue.
CVSS breakdown
CVSS 3.1
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
Low
Affected products
- chainguard-dev / apko>= 0.27.0, < 0.29.5 – >= 0.27.0, < 0.29.5
References
- VENDOR_ADVISORYhttps://github.com/chainguard-dev/apko/security/advisories/GHSA-x6ph-r535-3vjw
- PATCHhttps://github.com/chainguard-dev/apko/commit/04f37e2d50d5a502e155788561fb7d40de705bd9
- PATCHhttps://github.com/chainguard-dev/apko/commit/aedb0772d6bf6e74d8f17690946dbc791d0f6af3
- PATCHhttps://github.com/chainguard-dev/apko/releases/tag/v0.27.0
- PATCHhttps://github.com/chainguard-dev/apko/releases/tag/v0.29.5