Melange Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in Melange versions 0.14.0 prior to 0.40.3. The issue arises in the LicensingInfos function, where license files specified in the configuration can be read without proper validation of the file paths. This flaw allows attackers to traverse directories and access arbitrary files from the host system. The exfiltrated file contents are then included in the generated Software Bill of Materials (SBOM) as license information, potentially leaking sensitive data through build artifacts.

Impact

Exploitation of this vulnerability could lead to unauthorized reading of files outside the designated workspace, allowing sensitive information to be accessed and possibly leaked through build artifacts.

Reproduction

The vulnerability can be reproduced by creating a Melange configuration file that includes a license path with directory traversal sequences, such as '../'. When the LicensingInfos function is executed, it will read the specified file from the host system, bypassing workspace restrictions.

Remediation

Users can upgrade to Melange version 0.40.3 or later, where this vulnerability has been patched.