Skip to content

Commit 861b267

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-2w4f-9fgg-q2v9 GHSA-rf4g-89h5-crcr
1 parent 4b16635 commit 861b267

File tree

2 files changed

+122
-0
lines changed

2 files changed

+122
-0
lines changed

advisories/github-reviewed/2026/02/GHSA-2w4f-9fgg-q2v9/GHSA-2w4f-9fgg-q2v9.json

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-2w4f-9fgg-q2v9",
4+
"modified": "2026-02-04T00:09:57Z",
5+
"published": "2026-02-04T00:09:57Z",
6+
"aliases": [
7+
"CVE-2026-25145"
8+
],
9+
"summary": "melange has a path traversal in license-path which allows reading files outside workspace ",
10+
"details": "An attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host system. The `LicensingInfos` function in `pkg/config/config.go` reads license files specified in `copyright[].license-path` without validating that paths remain within the workspace directory, allowing path traversal via `../` sequences. The contents of the traversed file are embedded into the generated SBOM as license text, enabling exfiltration of sensitive data through build artifacts. \n \n Fix: Merged in commit 2f95c9f4\n \n Acknowledgements \n \nmelange thanks Oleh Konko (@1seal) from 1seal for discovering and reporting this issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "chainguard.dev/melange"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0.14.0"
29+
},
30+
{
31+
"fixed": "0.40.3"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-2w4f-9fgg-q2v9"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/chainguard-dev/melange/commit/2f95c9f4355ed993f2670bf1bb82d88b0f65e9e4"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/chainguard-dev/melange"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-22"
55+
],
56+
"severity": "MODERATE",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-02-04T00:09:57Z",
59+
"nvd_published_at": null
60+
}
61+
}

advisories/github-reviewed/2026/02/GHSA-rf4g-89h5-crcr/GHSA-rf4g-89h5-crcr.json

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-rf4g-89h5-crcr",
4+
"modified": "2026-02-04T00:09:15Z",
5+
"published": "2026-02-04T00:09:15Z",
6+
"aliases": [
7+
"CVE-2026-25143"
8+
],
9+
"summary": "melange affected by potential host command execution via license-check YAML mode patch pipeline ",
10+
"details": "An attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values (series paths, patch filenames, and numeric parameters) into shell scripts without proper quoting or validation, allowing shell metacharacters to break out of their intended context. \n \nThe vulnerability affects the built-in patch pipeline which can be invoked through melange build and melange license-check operations. An attacker who can control patch-related inputs (e.g., through pull request-driven CI, build-as-a-service, or by influencing melange configurations) can inject shell metacharacters such as backticks, command substitutions $(…), semicolons, pipes, or redirections to execute arbitrary commands with the privileges of the melange build process. \n\nFix: Fixed in [bd132535](https://github.com/chainguard-dev/melange/commit/bd132535cd9f57d4bd39d9ead0633598941af030) , Released in 0.40.3.\n \nAcknowledgements \n \nmelange thanks Oleh Konko (@1seal) from 1seal for discovering and reporting this issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "chainguard.dev/melange"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0.10.0"
29+
},
30+
{
31+
"fixed": "0.40.3"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-rf4g-89h5-crcr"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/chainguard-dev/melange/commit/bd132535cd9f57d4bd39d9ead0633598941af030"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/chainguard-dev/melange"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-78"
55+
],
56+
"severity": "HIGH",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-02-04T00:09:15Z",
59+
"nvd_published_at": null
60+
}
61+
}

0 commit comments

Comments
 (0)