Codyharris-H2O-Ai

**Name of the Vulnerable Software and Affected Versions** apko versions 0.27.0 through 0.29.4 **Description** apko is a tool that allows users to build and publish OCI container images built from apk packages. In versions prior to 0.29.5, critical files were inadvertently set to 0666, which could potentially be exploited for root escalation. **Recommendations** Update to version 0.29.5 or later.

**Name of the Vulnerable Software and Affected Versions** melange versions 0.23.0 through 0.29.4 **Description** melange allows users to build apk packages using declarative pipelines. SBOM files generated by melange in apks had file system permissions mode 666, potentially allowing an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a Denial of Service under special circumstances. **Recommendations** Update to version 0.29.5 or later.