High severity7.5NVD Advisory· Published Jun 3, 2024· Updated Apr 15, 2026
CVE-2024-36127
CVE-2024-36127
Description
apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
chainguard.dev/apkoGo | < 0.14.5 | 0.14.5 |
Patches
12c0533e4d52efix: redact URLs in config marshaling
1 file changed · +28 −0
pkg/build/types/types.go+28 −0 modified@@ -16,6 +16,7 @@ package types import ( "fmt" + "net/url" "runtime" "sort" @@ -95,6 +96,33 @@ type ImageContents struct { BaseImage *BaseImageDescriptor `json:"baseimage,omitempty" yaml:"baseimage,omitempty"` } +// MarshalYAML implements yaml.Marshaler for ImageContents, redacting URLs in +// the ImageContents struct fields. +func (i ImageContents) MarshalYAML() (interface{}, error) { + type redactedImageContents ImageContents + ri := redactedImageContents(i) + + for idx, repo := range ri.Repositories { + rawURL := repo + parsed, err := url.Parse(rawURL) + if err != nil { + return nil, fmt.Errorf("parsing repository URL: %w", err) + } + ri.Repositories[idx] = parsed.Redacted() + } + + for idx, key := range ri.Keyring { + rawURL := key + parsed, err := url.Parse(rawURL) + if err != nil { + return nil, fmt.Errorf("parsing public key URL: %w", err) + } + ri.Keyring[idx] = parsed.Redacted() + } + + return ri, nil +} + type ImageEntrypoint struct { // Optional: The type of entrypoint. Only "service-bundle" is supported. Type string `json:"type,omitempty"`
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.