Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

chainguard-dev

Source -

ADPCNA

BOS Name -

N/A

CNA CVEs -

3

ADP CVEs -

1

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated ProductsRelated AssignersReports
3Vulnerabilities found
CVE-2025-54059
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-4.4||MEDIUM
EPSS-0.01% / 1.08%
||
7 Day CHG~0.00%
Published-18 Jul, 2025 | 15:40
Updated-22 Jul, 2025 | 13:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
melange creates SBOM files in APKs with world-writable permissions

melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. Version 0.29.5 fixes the issue.

Action-Not Available
Vendor-chainguard-dev
Product-melange
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-53945
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7||HIGH
EPSS-0.01% / 2.15%
||
7 Day CHG~0.00%
Published-18 Jul, 2025 | 15:35
Updated-22 Jul, 2025 | 15:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
apko has incorrect permission (0666) in /etc/ld.so.cache and other files

apko allows users to build and publish OCI container images built from apk packages. Starting in version 0.27.0 and prior to version 0.29.5, critical files were inadvertently set to 0666, which could likely be abused for root escalation. Version 0.29.5 contains a fix for the issue.

Action-Not Available
Vendor-chainguard-dev
Product-apko
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2024-36127
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.15% / 36.36%
||
7 Day CHG~0.00%
Published-03 Jun, 2024 | 14:49
Updated-03 Sep, 2024 | 15:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
apko Exposure of HTTP basic auth credentials in log output

apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5.

Action-Not Available
Vendor-chainguard-devchainguard-dev
Product-apkoapko
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CWE ID-CWE-522
Insufficiently Protected Credentials