4.4
CVSS V3
Build, ship, and run secure software with minimal, hardened container images — rebuilt from source daily and guarded under our industry-leading remediation SLA.
Start for freemelange creates SBOM files in APKs with world-writable permissions
melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. Version 0.29.5 fixes the issue.