PT-2026-57371 · Go · Chainguard.Dev/Apko+1

Publicado

2026-07-10

·

Atualizado

2026-07-10

·

CVE-2026-54174

CVSS v3.1

8.3

Alta

VetorAV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Previously, Apko verified the control section hash (.PKGINFO etc.) against the signed APKINDEX, but never verified the data section hash (the actual package files that get installed). An attacker who could compromise a mirror, poison a cache, or MITM a package fetch could substitute arbitrary file contents while the control hash check still passed.

Correção

Insufficient Verification of Data Authenticity

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-54174
GHSA-FPG8-7664-JC5Q

Produtos afetados

Chainguard.Dev/Apko
Chainguard.Dev/Melange