Bug 1225875 (CVE-2024-36127)

Summary: VUL-0: CVE-2024-36127: apko: exposure of HTTP basic auth credentials in log output
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Johannes Kastl <opensuse_buildservice>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: camila.matos
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/408521/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-36127:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-06-03 17:47:45 UTC 
apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-36127
https://www.cve.org/CVERecord?id=CVE-2024-36127
https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01
https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp
Comment 1 Camila Camargo de Matos 2024-06-03 17:49:26 UTC 
Affected versions are the ones lower than 0.14.5. openSUSE:Factory/apko is not affected by this issue, as it is already at version 0.14.7.