CVE-2026-24844— melange 操作系统命令注入漏洞
新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2026-24844の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
melange pipeline working-directory could allow command injection
ソース: NVD (National Vulnerability Database)
脆弱性説明
melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
melange 操作系统命令注入漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
melange是Chainguard开源的一个从源代码构建APK的软件。 melange 0.40.3之前版本存在操作系统命令注入漏洞,该漏洞源于工作目录字段中的变量替换未正确转义,可能导致任意命令执行。
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)
影響を受ける製品
| ベンダー | プロダクト | 影響を受けるバージョン | CPE | 購読 |
|---|---|---|---|---|
| chainguard-dev | melange | >= 0.3.0, < 0.40.3 | - |
II. CVE-2026-24844の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2026-24844のインテリジェンス情報
请登录查看更多情报信息。
- Merge commit from fork · chainguard-dev/melange@e51ca30 · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-24844
Same Patch Batch · chainguard-dev · 2026-02-04 · 7 CVEs total
| CVE-2026-24843 | 8.2 HIGH | melange QEMU runner could write files outside workspace directory |
| CVE-2026-25143 | 7.8 HIGH | melange affected by potential host command execution via license-check YAML mode patch pip |
| CVE-2026-25121 | 7.5 HIGH | apko is vulnerable to path traversal in apko dirFS which allows filesystem writes outside |
| CVE-2026-25140 | 7.5 HIGH | apko affected by potential unbounded resource consumption in expandapk.ExpandApk on attack |
| CVE-2026-25122 | 5.5 MEDIUM | apko is vulnerable to unbounded resource consumption in expandapk.Split on attacker-contro |
| CVE-2026-25145 | 5.5 MEDIUM | melange has a path traversal in license-path which allows reading files outside workspace |
IV. 関連脆弱性
同じ製品: melange
- CVE-2026-29051
melange has Path Traversal via .PKGINFO in --persist-lint-re - CVE-2026-29050
melange has Path Traversal When Resolving External Pipelines - CVE-2026-29049
melange: unbounded HTTP download in `melange update-cache` c - CVE-2026-25145
melange has a path traversal in license-path which allows re - CVE-2026-25143
melange affected by potential host command execution via lic
同じベンダー: chainguard-dev
- CVE-2026-42576
apko `DiscoverKeys` has a panic on non-rsa jwks key that cau - CVE-2026-42575
apko doesn't verify downloaded apk packages against APKINDEX - CVE-2026-42574
apko dirFS has a symlink-following path traversal that allow - CVE-2026-29051
melange has Path Traversal via .PKGINFO in --persist-lint-re - CVE-2026-29050
melange has Path Traversal When Resolving External Pipelines
同じ弱点: CWE-78
- CVE-2026-8273
D-Link DNS-320 system_mgr.cgi cgi_merge_user os command inje - CVE-2026-8272
D-Link DNS-320 webfile_mgr.cgi chown os command injection - CVE-2026-8271
D-Link DNS-320 network_mgr.cgi cgi_upnp_edit os command inje - CVE-2026-8265
Tenda AC6 httpd getLogFile get_log_file os command injection - CVE-2026-8264
Tenda AC6 httpd WifiApScan formWifiApScan os command injecti
V. CVE-2026-24844へのコメント
まだコメントはありません