CVE-2024-36127

Name of the Vulnerable Software and Affected Versions apko versions prior to 0.14.5

Description The issue concerns the exposure of HTTP basic auth credentials from repository and keyring URLs in log output. This occurs due to the use of the %s verb to format a url.URL as a string, which includes un-redacted HTTP basic authentication credentials if they are included in the URL. Additionally, string URL values from configuration files were not parsed as URLs, resulting in no chance of redacting credentials. For users accessing keyring or APK repository content using HTTP basic auth, credentials were being logged in plaintext, depending on the user's logging settings. This could lead to a company-internal or public leakage of credentials, especially if apko is used in continuous integration jobs.

Recommendations For versions prior to 0.14.5, update to version 0.14.5 to fix the issue. As a temporary workaround, consider disabling the logging of sensitive information, such as HTTP basic auth credentials, until the update is applied. Restrict access to log output to minimize the risk of credential exposure. Avoid using HTTP basic auth credentials in repository and keyring URLs until the issue is resolved.