melange pipeline working-directory could allow command injection

melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

melange 操作系统命令注入漏洞

melange是Chainguard开源的一个从源代码构建APK的软件。 melange 0.40.3之前版本存在操作系统命令注入漏洞，该漏洞源于工作目录字段中的变量替换未正确转义，可能导致任意命令执行。

N/A

N/A