Markusboehme

**Name of the Vulnerable Software and Affected Versions** melange versions 0.23.0 through 0.29.4 **Description** melange allows users to build apk packages using declarative pipelines. SBOM files generated by melange in apks had file system permissions mode 666, potentially allowing an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a Denial of Service under special circumstances. **Recommendations** Update to version 0.29.5 or later.