Melange
Monthly
Melange versions 0.40.5 and earlier are vulnerable to disk exhaustion when the update-cache function downloads files from attacker-controlled URIs without enforcing size limits or timeouts. An attacker can craft a malicious melange configuration file to trigger unbounded disk writes on build systems, consuming all available storage and denying service to legitimate builds. No patch is currently available.
Melange versions 0.14.0 through 0.40.2 allow local attackers with configuration file control to read arbitrary files from the host system through path traversal in license file path validation, potentially exfiltrating sensitive data embedded in generated SBOMs. This vulnerability affects build pipeline scenarios where configuration is user-controlled, such as pull request-driven CI or build-as-a-service environments. A patch is available in version 0.40.3.
Melange versions 0.10.0 through 0.40.2 allow unauthenticated command injection through the patch pipeline, enabling attackers to execute arbitrary shell commands on build hosts by injecting shell metacharacters into patch-related inputs such as series paths and filenames. This vulnerability affects users who build APK packages using melange build or melange license-check operations, particularly in CI/CD environments where build inputs may be controlled by untrusted sources. A patch is available in version 0.40.3 and later.
melange allows users to build apk packages using declarative pipelines. [CVSS 7.9 HIGH]
Melange versions 0.11.3 through 0.40.2 suffer from a path traversal vulnerability in the retrieveWorkspace function that fails to validate tar entry paths, allowing an attacker with control over a QEMU guest VM's tar stream to write arbitrary files outside the intended workspace directory on the host system. An attacker exploiting this vulnerability could achieve arbitrary file write capabilities on the host machine, potentially leading to system compromise. A patch is available in version 0.40.3 and later.
Melange versions 0.40.5 and earlier are vulnerable to disk exhaustion when the update-cache function downloads files from attacker-controlled URIs without enforcing size limits or timeouts. An attacker can craft a malicious melange configuration file to trigger unbounded disk writes on build systems, consuming all available storage and denying service to legitimate builds. No patch is currently available.
Melange versions 0.14.0 through 0.40.2 allow local attackers with configuration file control to read arbitrary files from the host system through path traversal in license file path validation, potentially exfiltrating sensitive data embedded in generated SBOMs. This vulnerability affects build pipeline scenarios where configuration is user-controlled, such as pull request-driven CI or build-as-a-service environments. A patch is available in version 0.40.3.
Melange versions 0.10.0 through 0.40.2 allow unauthenticated command injection through the patch pipeline, enabling attackers to execute arbitrary shell commands on build hosts by injecting shell metacharacters into patch-related inputs such as series paths and filenames. This vulnerability affects users who build APK packages using melange build or melange license-check operations, particularly in CI/CD environments where build inputs may be controlled by untrusted sources. A patch is available in version 0.40.3 and later.
melange allows users to build apk packages using declarative pipelines. [CVSS 7.9 HIGH]
Melange versions 0.11.3 through 0.40.2 suffer from a path traversal vulnerability in the retrieveWorkspace function that fails to validate tar entry paths, allowing an attacker with control over a QEMU guest VM's tar stream to write arbitrary files outside the intended workspace directory on the host system. An attacker exploiting this vulnerability could achieve arbitrary file write capabilities on the host machine, potentially leading to system compromise. A patch is available in version 0.40.3 and later.