PT-2025-30051 · Melange · Melange

Codyharris-H2O-Ai

Publicado

2025-07-18

Atualizado

2025-08-04

CVE-2025-54059

CVSS v3.1

4.4

Média

Vetor

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Name of the Vulnerable Software and Affected Versions melange versions 0.23.0 through 0.29.4

Description melange allows users to build apk packages using declarative pipelines. SBOM files generated by melange in apks had file system permissions mode 666, potentially allowing an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a Denial of Service under special circumstances.

Recommendations Update to version 0.29.5 or later.

Exploit

Correção

DoS

Incorrect Default Permissions

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-276

Identificadores relacionados

CVE-2025-54059

GHSA-5662-CV6M-63WH

GO-2025-3815

OPENSUSE-SU-2025:15405-1

Produtos afetados

Melange

PT-2025-30051 · Melange · Melange

CVE-2025-54059

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 72