Wagoodman

**Nome do software vulnerável e versões afetadas** Versões do stereoscope anteriores à 0.0.1 **Descrição** É possível criar um arquivo tar OCI que, quando o stereoscope tentar descompactar o conteúdo, resultará na gravação em caminhos fora do diretório temporário de descompactação. Este problema está relacionado ao uso da função `github.com/anchore/stereoscope/pkg/file.UntarToDirectory()`, da estrutura `github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider` ou da função de nível superior `github.com/anchore/stereoscope/pkg/image.Image.Read()`. **Recomendações** Como solução temporária, considere mudar para o uso de um layout OCI, descompactando o arquivo tar e fornecendo o diretório descompactado ao stereoscope. Para versões anteriores à 0.0.1, atualize para a versão 0.0.1 para resolver o problema.

**Name of the Vulnerable Software and Affected Versions** syft versions v0.69.0 through v0.69.1 **Description** A password disclosure flaw was found in syft, which leaks the password stored in the `SYFT ATTEST PASSWORD` environment variable. This variable is used to decrypt the private key during the signing process while generating an SBOM attestation. The credentials are leaked in two ways: in the syft logs when `-vv` or `-vvv` are used in the syft command and in the attestation or SBOM only when the `syft-json` format is used. This vulnerability affects users running syft that have the `SYFT ATTEST PASSWORD` environment variable set with credentials. Note that any generated attestations by the `syft attest` command are uploaded to the OCI registry, which means that any attestations generated for the affected versions of syft when the `SYFT ATTEST PASSWORD` environment variable was set would leak credentials in the attestation payload uploaded to the OCI registry. **Recommendations** For syft versions v0.69.0 through v0.69.1, upgrade to version v0.70.0 to resolve the issue. As a temporary workaround, consider removing the `SYFT ATTEST PASSWORD` environment variable to prevent credential leakage. Restrict access to the syft logs and attestation or SBOM files to minimize the risk of exploitation. Avoid using the `syft-json` format until the issue is resolved.