x/vulndb: potential Go vuln in github.com/chainguard-dev/apko: CVE-2024-36127

[tatianab]

CVE-2024-36127 references github.com/chainguard-dev/apko, which may be a Go module.

Description:
apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-36127
• JSON: https://github.com/CVEProject/cvelist/tree/e076e9c24f3ede5a41143e706602e9c41139fd45/2024/36xxx/CVE-2024-36127.json
• advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-36127
• fix: chainguard-dev/apko@2c0533e
• web: GHSA-v6mg-7f7p-qmqp
• Imported by: https://pkg.go.dev/github.com/chainguard-dev/apko?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/chainguard-dev/apko
      vulnerable_at: 0.14.8
      packages:
        - package: apko
summary: CVE-2024-36127 in github.com/chainguard-dev/apko
cves:
    - CVE-2024-36127
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-36127
    - fix: https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01
    - web: https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp
source:
    id: CVE-2024-36127
    created: 2024-06-07T17:17:59.358757-04:00
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/592456 mentions this issue: data/reports: add 19 unreviewed reports

[gopherbot]

Change https://go.dev/cl/592457 mentions this issue: data/reports: add 16 unreviewed reports