漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery
Vulnerability Description
apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. This issue has been patched in version 1.2.7.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Vulnerability Type
不正确的类型转换
Vulnerability Title
apko 代码问题漏洞
Vulnerability Description
apko是apko开源的一个基于 apk 的 OCI 镜像构建器。 apko 1.2.7之前版本存在代码问题漏洞,该漏洞源于DiscoverKeys无条件地将JWKS密钥类型断言为*rsa.PublicKey而未检查密钥类型,可能导致非RSA密钥导致恐慌和崩溃。
CVSS Information
N/A
Vulnerability Type
N/A