Nixpkgs security tracker
7.8 HIGH
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): REQUIRED
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): NONE
Activity log
- Created suggestion
melange pipeline working-directory could allow command injection
melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.
References
Affected products
- ==>= 0.3.0, < 0.40.3
Matching in nixpkgs
pkgs.melange
Build APKs from source code
pkgs.ocamlPackages.melange
Toolchain to produce JS from Reason/OCaml
pkgs.ocamlPackages.melange-json
Compositional JSON encode/decode library and PPX for Melange and OCaml
pkgs.ocamlPackages_latest.melange
Toolchain to produce JS from Reason/OCaml
-
nixos-unstable -
- nixpkgs-unstable 6.0.1-54
pkgs.ocamlPackages.melange-json-native
Compositional JSON encode/decode PPX for OCaml
pkgs.ocamlPackages_latest.melange-json
Compositional JSON encode/decode library and PPX for Melange and OCaml
-
nixos-unstable -
- nixpkgs-unstable 2.0.0
pkgs.ocamlPackages_latest.melange-json-native
Compositional JSON encode/decode PPX for OCaml
-
nixos-unstable -
- nixpkgs-unstable 2.0.0
Package maintainers
-
@developer-guy Batuhan Apaydın <developerguyn@gmail.com>
-
@GirardR1006 Julien Girard-Satabin <julien.girard2@cea.fr>