PT-2026-57371 · Go · Chainguard.Dev/Apko+1
Publicado
2026-07-10
·
Atualizado
2026-07-10
·
CVE-2026-54174
CVSS v3.1
8.3
Alta
| Vetor | AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
Previously, Apko verified the control section hash (
.PKGINFO etc.) against the signed APKINDEX, but never verified the data section hash (the actual package files that get installed). An attacker who could compromise a mirror, poison a cache, or MITM a package fetch could substitute arbitrary file contents while the control hash check still passed.Correção
Insufficient Verification of Data Authenticity
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Chainguard.Dev/Apko
Chainguard.Dev/Melange