Wagoodman

**Name of the Vulnerable Software and Affected Versions** stereoscope versions prior to 0.0.1 **Description** It is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. This issue is related to the use of the `github.com/anchore/stereoscope/pkg/file.UntarToDirectory()` function, the `github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider` struct, or the higher level `github.com/anchore/stereoscope/pkg/image.Image.Read()` function. **Recommendations** As a temporary workaround, consider switching to using an OCI layout by unarchiving the tar archive and providing the unarchived directory to stereoscope. For versions prior to 0.0.1, update to version 0.0.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** syft versions v0.69.0 through v0.69.1 **Description** A password disclosure flaw was found in syft, which leaks the password stored in the `SYFT ATTEST PASSWORD` environment variable. This variable is used to decrypt the private key during the signing process while generating an SBOM attestation. The credentials are leaked in two ways: in the syft logs when `-vv` or `-vvv` are used in the syft command and in the attestation or SBOM only when the `syft-json` format is used. This vulnerability affects users running syft that have the `SYFT ATTEST PASSWORD` environment variable set with credentials. Note that any generated attestations by the `syft attest` command are uploaded to the OCI registry, which means that any attestations generated for the affected versions of syft when the `SYFT ATTEST PASSWORD` environment variable was set would leak credentials in the attestation payload uploaded to the OCI registry. **Recommendations** For syft versions v0.69.0 through v0.69.1, upgrade to version v0.70.0 to resolve the issue. As a temporary workaround, consider removing the `SYFT ATTEST PASSWORD` environment variable to prevent credential leakage. Restrict access to the syft logs and attestation or SBOM files to minimize the risk of exploitation. Avoid using the `syft-json` format until the issue is resolved.