// For flags

CVE-2024-36127

apko Exposure of HTTP basic auth credentials in log output

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5.

apko es un creador de imágenes OCI basado en apk. apko expone las credenciales de autenticación básica HTTP del repositorio y las URL del conjunto de claves en la salida del registro. Esta vulnerabilidad se solucionó en v0.14.5.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
Poc
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-05-20 CVE Reserved
  • 2024-06-03 CVE Published
  • 2024-06-04 EPSS Updated
  • 2024-09-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-522: Insufficiently Protected Credentials
  • CWE-532: Insertion of Sensitive Information into Log File
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Chainguard-dev
Search vendor "Chainguard-dev"
Apko
Search vendor "Chainguard-dev" for product "Apko"
< 0.14.5
Search vendor "Chainguard-dev" for product "Apko" and version " < 0.14.5"
en
Affected