CVE-2026-47192
kas's late signature validation may allow unnoticed repository manipulations
描述
### Impact So far, kas checks out and processes repositories regarding configuration includes prior to validating signatures of those repositories. This may allow to replace on original repository with one under the control of an attacker under very specific conditions. First of all, the attacker must have gained control of a repository that a kas file of the victim is referencing. Furthermore, the following conditions must be fulfilled: - the victim's kas configuration must include a configuration file from the attacked repository - the repository state is referenced by tag, and no commit ID is specified (this is triggering a warning, though) - the key used for validating the tag or commit signature is stored as file in a repository - no fingerprint for the key is specified - the `_source_dir` key must not be set by the victim when calling kas (e.g. by avoiding a local `.config.yaml`) Given these conditions, the attacker could modify the included kas configuration in way that the key used to validate the tag signature of the attacker's repository could be replaced by an attacker-chosen key. No other exploit possibilities have been identified so far, but this does not rule out that those may exist. ### Patches The vulnerability was introduced with a2480fe59b6421eb96cf3bd86527ae6e412a331e, commit https://github.com/siemens/kas/commit/5b2114becfc154b16ef496d24f8c2191a2297f57 is resolving this issue. A misuse of `_source_dir` is resolved by commit https://github.com/siemens/kas/commit/c443c0a1fd0f9bd6a689a44d95a252085fc6da88. Shadowing a commit by a branch of the same name is described in advisory https://github.com/siemens/kas/security/advisories/GHSA-qjwp-hrq6-r26r and is addressed by commit https://github.com/siemens/kas/commit/4cb4a3d01122ffaec9feaae768a5814092f6f9b5. All patches have been released along with kas version 5.3. ### Workarounds Pin the expected signature key via its fingerprint, also when storing it as file in a repository.
受影響套件(2)
- Debian/kasfrom 0
- PyPI/kas>= 4.8, < 5.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
參考連結(6)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-47192
- PATCHhttps://github.com/siemens/kas
- WEBhttps://github.com/siemens/kas/commit/4cb4a3d01122ffaec9feaae768a5814092f6f9b5
- WEBhttps://github.com/siemens/kas/commit/5b2114becfc154b16ef496d24f8c2191a2297f57
- WEBhttps://github.com/siemens/kas/security/advisories/GHSA-4vqc-wpwg-vh7j
- WEBhttps://github.com/siemens/kas/security/advisories/GHSA-qjwp-hrq6-r26r