Apko Unchecked Type Assertion Vulnerability in JWKS Key Discovery Process Causes Denial-of-Service
Vulnerability
A denial-of-service vulnerability has been identified in Apko versions prior to 1.2.7. The issue arises in the 'DiscoverKeys' function, where JWKS keys are unconditionally type-asserted as RSA public keys without verifying the key type. This flaw can lead to a panic and crash the Apko process if a repository JWKS endpoint returns a non-RSA key, such as an EC key. The vulnerability impacts any workflow that initializes the APK database and retrieves repository keys.
Impact
Exploitation of this vulnerability causes a panic that crashes the Apko process, disrupting any workflows that depend on key discovery and APK database initialization.
Reproduction
To reproduce this vulnerability, use a version of Apko prior to 1.2.7 and configure a JWKS endpoint that returns a non-RSA key, such as an EC key. When the 'DiscoverKeys' function is called, the unchecked type assertion will cause a panic, leading to a crash.
Remediation
Users can upgrade to Apko version 1.2.7 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.