CNNVD-202507-2445 Information
CNNVD ID
CNNVD-202507-2445
Related CVE
- CNNVD Published: 2025-07-18
Description (Chinese)
melange是Chainguard开源的一个从源代码构建APK的软件。 melange 0.23.0至0.29.5之前版本存在安全漏洞,该漏洞源于SBOM文件权限设置不当,可能导致篡改攻击。
Description (English)
Melange is a source-based software for building APK from Chaingulard open source. There is a security loophole in the pre-version version of MS0.23.0 to 0.29.5, which stems from the inappropriate set-up of SBOM documents, which could lead to a tampering attack.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
Chainguard
Published
2025-07-18
Last Modified
2026-02-24
References
https://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04 https://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1 https://github.com/chainguard-dev/melange/pull/1836 https://github.com/chainguard-dev/melange/pull/2086 https://github.com/chainguard-dev/melange/releases/tag/v0.23.0 https://github.com/chainguard-dev/melange/releases/tag/v0.29.5 https://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh https://access.redhat.com/security/cve/cve-2025-54059
Patch
https://github.com/chainguard-dev/melange/releases
Share on: