melange has a path traversal in license-path which allows reading files outside workspace

melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright[].license-path without validating that paths remain within the workspace directory, allowing path traversal via ../ sequences. The contents of the traversed file are embedded into the generated SBOM as license text, enabling exfiltration of sensitive data through build artifacts. This issue has been patched in version 0.40.3.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

对路径名的限制不恰当(路径遍历)

melange 路径遍历漏洞

melange是Chainguard开源的一个从源代码构建APK的软件。 melange 0.14.0版本至0.40.3之前版本存在路径遍历漏洞，该漏洞源于LicensingInfos函数读取许可证文件时未验证路径，可能导致路径遍历和读取任意文件。

N/A

N/A