fkie_cve-2025-54059
Vulnerability from fkie_nvd
Published
2025-07-18 16:15
Modified
2025-07-22 13:06
Severity ?
4.4 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Summary
melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. Version 0.29.5 fixes the issue.
References
security-advisories@github.comhttps://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04
security-advisories@github.comhttps://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1
security-advisories@github.comhttps://github.com/chainguard-dev/melange/pull/1836
security-advisories@github.comhttps://github.com/chainguard-dev/melange/pull/2086
security-advisories@github.comhttps://github.com/chainguard-dev/melange/releases/tag/v0.23.0
security-advisories@github.comhttps://github.com/chainguard-dev/melange/releases/tag/v0.29.5
security-advisories@github.comhttps://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. Version 0.29.5 fixes the issue."
    },
    {
      "lang": "es",
      "value": "Melange permite a los usuarios crear paquetes APK mediante pipelines declarativos. A partir de la versi\u00f3n 0.23.0 y anteriores a la 0.29.5, los archivos SBOM generados por Melange en APK ten\u00edan permisos de sistema de archivos en modo 666. Esto podr\u00eda permitir que un usuario sin privilegios altere los SBOM de APK en una imagen en ejecuci\u00f3n, lo que podr\u00eda confundir a los esc\u00e1neres de seguridad. Un atacante tambi\u00e9n podr\u00eda realizar un ataque de DoS en circunstancias especiales. La versi\u00f3n 0.29.5 corrige el problema."
    }
  ],
  "id": "CVE-2025-54059",
  "lastModified": "2025-07-22T13:06:27.983",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "LOW",
          "baseScore": 4.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-18T16:15:30.180",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/chainguard-dev/melange/pull/1836"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/chainguard-dev/melange/pull/2086"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/chainguard-dev/melange/releases/tag/v0.23.0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/chainguard-dev/melange/releases/tag/v0.29.5"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-276"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.