The apko container build tool contains a high-severity flaw that could allow for the creation of compromised OCI images during the build process.

The vulnerability in apko involves a flaw in how OCI container images are constructed from apk packages. With a CVSS score of 7.5, the issue likely resides in the image assembly or package verification logic, which could be manipulated by an attacker with access to the build pipeline.

A successful exploit could lead to the distribution of malicious container images to production environments. This poses a major threat to the integrity of the containerized infrastructure and could lead to unauthorized access, data breaches, and a lack of trust in the organization's software delivery process.

Immediate Action: Update apko to the latest version and rebuild any container images that were generated using the vulnerable version of the tool.

Proactive Monitoring: Implement image signing and verification (e.g., using Sigstore/Cosign) to ensure that only authorized and untampered images are deployed.

Compensating Controls: Restrict access to the container build environment and use ephemeral build runners to minimize the impact of a potential compromise.

Public Exploit Available: false

Organizations using apko should update the tool immediately to mitigate the risk of supply chain attacks. Ensuring that container images are built using secure and patched tools is a fundamental requirement for modern cloud-native security.