Nixpkgs Security Tracker

Dismissed

Permalink CVE-2026-24845

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

updated 1 month, 2 weeks ago by @LeSuisse Activity log

Created automatic suggestion 1 month, 3 weeks ago
@LeSuisse removed package malcontent-ui 1 month, 2 weeks ago
@LeSuisse accepted 1 month, 2 weeks ago
@LeSuisse removed package malcontent 1 month, 2 weeks ago
@LeSuisse dismissed 1 month, 2 weeks ago

malcontent's OCI image scanning could expose registry credentials

malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 0.10.0 and prior to version 1.20.3, malcontent could be made to expose Docker registry credentials if it scanned a specially crafted OCI image reference. malcontent uses google/go-containerregistry for OCI image pulls, which by default uses the Docker credential keychain. A malicious registry could return a `WWW-Authenticate` header redirecting token authentication to an attacker-controlled endpoint, causing credentials to be sent to that endpoint. Version 1.20.3 fixes the issue by defaulting to anonymous auth for OCI pulls.

References

https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-9m43-p3cx-w8j5 x_refsource_CONFIRM
https://github.com/chainguard-dev/malcontent/commit/538ed00cdc639d687a4bd1e843a2be0428a3b3e7 x_refsource_MISC

Affected products

malcontent

==>= 0.10.0, < 1.20.3

Chainguard malcontent is not present in nixpkgs.

Suggestion detail

References

Affected products