Melange SBOM File Permission Vulnerability in APK Packages
Vulnerability
A vulnerability exists in the Melange tool, specifically in versions 0.23.0 prior to 0.29.5, where the Software Bill of Materials (SBOM) files generated in APK packages were assigned world-writable permissions. This flaw could enable an unprivileged user to modify APK SBOMs on a live image, potentially misleading security scanners. Under certain conditions, this vulnerability could also lead to a denial-of-service.
Impact
The improper file permissions could allow unauthorized users to alter SBOM files in APK packages, potentially causing confusion for security scanning tools. Additionally, under specific circumstances, this vulnerability could be exploited to create a denial-of-service condition.
Reproduction
To reproduce this vulnerability, create an APK package using Melange version 0.23.0. The SBOM file generated will have world-writable permissions, allowing unauthorized users to modify it.
Remediation
Users can upgrade to Melange version 0.29.5 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.