CVE-2024-36127 - OpenCVE

apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01
https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-06-03T14:49:39.055Z

Updated: 2024-09-03T15:49:45.766Z

Reserved: 2024-05-20T21:07:48.190Z

Link: CVE-2024-36127

Vulnrichment

Updated: 2024-08-02T03:30:13.123Z

NVD

Status : Awaiting Analysis

Published: 2024-06-03T15:15:09.307

Modified: 2024-06-03T19:23:17.807

Link: CVE-2024-36127

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36127", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-20T21:07:48.190Z", "datePublished": "2024-06-03T14:49:39.055Z", "dateUpdated": "2024-09-03T15:49:45.766Z"}, "containers": {"cna": {"title": "apko Exposure of HTTP basic auth credentials in log output", "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "lang": "en", "description": "CWE-522: Insufficiently Protected Credentials", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-532", "lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp"}, {"name": "https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01", "tags": ["x_refsource_MISC"], "url": "https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01"}], "affected": [{"vendor": "chainguard-dev", "product": "apko", "versions": [{"version": "< 0.14.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-03T14:49:39.055Z"}, "descriptions": [{"lang": "en", "value": "apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5."}], "source": {"advisory": "GHSA-v6mg-7f7p-qmqp", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:30:13.123Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp"}, {"name": "https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01"}]}, {"affected": [{"vendor": "chainguard-dev", "product": "apko", "cpes": ["cpe:2.3:a:chainguard-dev:apko:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.14.5", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-05T19:11:57.608124Z", "id": "CVE-2024-36127", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T15:49:45.766Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp", "name": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01", "name": "https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:30:13.123Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36127", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-05T19:11:57.608124Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:chainguard-dev:apko:*:*:*:*:*:*:*:*"], "vendor": "chainguard-dev", "product": "apko", "versions": [{"status": "affected", "version": "0", "lessThan": "0.14.5", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T15:49:39.903Z"}}], "cna": {"title": "apko Exposure of HTTP basic auth credentials in log output", "source": {"advisory": "GHSA-v6mg-7f7p-qmqp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "chainguard-dev", "product": "apko", "versions": [{"status": "affected", "version": "< 0.14.5"}]}], "references": [{"url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp", "name": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01", "name": "https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-03T14:49:39.055Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36127", "state": "PUBLISHED", "dateUpdated": "2024-09-03T15:49:45.766Z", "dateReserved": "2024-05-20T21:07:48.190Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-03T14:49:39.055Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}