logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-36127 chainguard.dev/apko

Package

Manager: go
Name: chainguard.dev/apko
Vulnerable Version: >=0 <0.14.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00151 pctl0.36354

Details

apko Exposure of HTTP basic auth credentials in log output ### Summary Exposure of HTTP basic auth credentials from repository and keyring URLs in log output ### Details There was a handful of instances where the `apko` tool was outputting error messages and log entries where HTTP basic authentication credentials were exposed for one of two reasons: 1. The`%s` verb was used to format a `url.URL` as a string, which includes un-redacted HTTP basic authentication credentials if they are included in the URL. 2. A string URL value (such as from the configuration YAML file supplied used in an apko execution) was never parsed as a URL, so there was no chance of redacting credentials in the logical flow. apko, as well as its companion library `go-apk`, have been updated to ensure URLs are parsed and redacted before being output as string values. ### PoC Create a config file like this `apko.yaml`: ```yaml contents: keyring: - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub repositories: - https://me%40example.com:supersecretpassword@localhost:8080/os packages: - wolfi-base cmd: /bin/sh -l archs: - x86_64 - aarch64 ``` Then run: ```shell apko build apko.yaml latest foo.tar --log-level debug ``` Observe instances of the password being shown verbatim in the log output, such as: ```text ... DEBU image configuration: contents: repositories: - https://me%40example.com:supersecretpassword@localhost:8080/os keyring: - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub packages: - wolfi-base ... ``` ### Impact For users accessing keyring or APK repository content using HTTP basic auth, credentials were being logged in plaintext, depending on the user's logging settings. If you use apko in continuous integration jobs, it is likely that the credentials leak via logs of these jobs. Depending on the accessibility of these logs, this could be a company-internal or public leakage of credentials.

Metadata

Created: 2024-06-04T17:52:15Z
Modified: 2024-06-04T17:52:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-v6mg-7f7p-qmqp/GHSA-v6mg-7f7p-qmqp.json
CWE IDs: ["CWE-522", "CWE-532"]
Alternative ID: GHSA-v6mg-7f7p-qmqp
Finding: F035
Auto approve: 1