Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    Related vulnerabilities

    GHSA-4VQC-WPWG-VH7J

    Vulnerability from github – Published: 2026-06-04 17:36 – Updated: 2026-06-04 17:36
    VLAI
    Summary
    kas's late signature validation may allow unnoticed repository manipulations
    Details

    Impact

    So far, kas checks out and processes repositories regarding configuration includes prior to validating signatures of those repositories. This may allow to replace on original repository with one under the control of an attacker under very specific conditions.

    First of all, the attacker must have gained control of a repository that a kas file of the victim is referencing. Furthermore, the following conditions must be fulfilled: - the victim's kas configuration must include a configuration file from the attacked repository - the repository state is referenced by tag, and no commit ID is specified (this is triggering a warning, though) - the key used for validating the tag or commit signature is stored as file in a repository - no fingerprint for the key is specified - the _source_dir key must not be set by the victim when calling kas (e.g. by avoiding a local .config.yaml)

    Given these conditions, the attacker could modify the included kas configuration in way that the key used to validate the tag signature of the attacker's repository could be replaced by an attacker-chosen key.

    No other exploit possibilities have been identified so far, but this does not rule out that those may exist.

    Patches

    The vulnerability was introduced with a2480fe59b6421eb96cf3bd86527ae6e412a331e, commit https://github.com/siemens/kas/commit/5b2114becfc154b16ef496d24f8c2191a2297f57 is resolving this issue. A misuse of _source_dir is resolved by commit https://github.com/siemens/kas/commit/c443c0a1fd0f9bd6a689a44d95a252085fc6da88. Shadowing a commit by a branch of the same name is described in advisory https://github.com/siemens/kas/security/advisories/GHSA-qjwp-hrq6-r26r and is addressed by commit https://github.com/siemens/kas/commit/4cb4a3d01122ffaec9feaae768a5814092f6f9b5. All patches have been released along with kas version 5.3.

    Workarounds

    Pin the expected signature key via its fingerprint, also when storing it as file in a repository.

    Show details on source website

    {
      "affected": [
        {
          "package": {
            "ecosystem": "PyPI",
            "name": "kas"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "4.8"
                },
                {
                  "fixed": "5.3"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ]
        }
      ],
      "aliases": [
        "CVE-2026-47192"
      ],
      "database_specific": {
        "cwe_ids": [
          "CWE-347"
        ],
        "github_reviewed": true,
        "github_reviewed_at": "2026-06-04T17:36:03Z",
        "nvd_published_at": null,
        "severity": "LOW"
      },
      "details": "### Impact\nSo far, kas checks out and processes repositories regarding configuration includes prior to validating signatures of those repositories. This may allow to replace on original repository with one under the control of an attacker under very specific conditions.\n\nFirst of all, the attacker must have gained control of a repository that a kas file of the victim is referencing. Furthermore, the following conditions must be fulfilled:\n - the victim\u0027s kas configuration must include a configuration file from the attacked repository\n - the repository state is referenced by tag, and no commit ID is specified (this is triggering a warning, though)\n - the key used for validating the tag or commit signature is stored as file in a repository\n - no fingerprint for the key is specified\n - the  `_source_dir` key must not be set by the victim when calling kas (e.g. by avoiding a local `.config.yaml`)\n\nGiven these conditions, the attacker could modify the included kas configuration in way that the key used to validate the tag signature of the attacker\u0027s repository could be replaced by an attacker-chosen key.\n\nNo other exploit possibilities have been identified so far, but this does not rule out that those may exist.\n\n### Patches\nThe vulnerability was introduced with a2480fe59b6421eb96cf3bd86527ae6e412a331e, commit https://github.com/siemens/kas/commit/5b2114becfc154b16ef496d24f8c2191a2297f57 is resolving this issue. A misuse of `_source_dir` is resolved by commit https://github.com/siemens/kas/commit/c443c0a1fd0f9bd6a689a44d95a252085fc6da88. Shadowing a commit by a branch of the same name is described in advisory https://github.com/siemens/kas/security/advisories/GHSA-qjwp-hrq6-r26r and is addressed by commit https://github.com/siemens/kas/commit/4cb4a3d01122ffaec9feaae768a5814092f6f9b5. All patches have been released along with kas version 5.3.\n\n### Workarounds\nPin the expected signature key via its fingerprint, also when storing it as file in a repository.",
      "id": "GHSA-4vqc-wpwg-vh7j",
      "modified": "2026-06-04T17:36:03Z",
      "published": "2026-06-04T17:36:03Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/siemens/kas/security/advisories/GHSA-4vqc-wpwg-vh7j"
        },
        {
          "type": "WEB",
          "url": "https://github.com/siemens/kas/security/advisories/GHSA-qjwp-hrq6-r26r"
        },
        {
          "type": "WEB",
          "url": "https://github.com/siemens/kas/commit/4cb4a3d01122ffaec9feaae768a5814092f6f9b5"
        },
        {
          "type": "WEB",
          "url": "https://github.com/siemens/kas/commit/5b2114becfc154b16ef496d24f8c2191a2297f57"
        },
        {
          "type": "PACKAGE",
          "url": "https://github.com/siemens/kas"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "type": "CVSS_V4"
        }
      ],
      "summary": "kas\u0027s late signature validation may allow unnoticed repository manipulations"
    }

    PYSEC-2026-2543

    Vulnerability from pysec - Published: 2026-07-13 15:46 - Updated: 2026-07-13 16:04
    VLAI
    Details

    Impact

    So far, kas checks out and processes repositories regarding configuration includes prior to validating signatures of those repositories. This may allow to replace on original repository with one under the control of an attacker under very specific conditions.

    First of all, the attacker must have gained control of a repository that a kas file of the victim is referencing. Furthermore, the following conditions must be fulfilled: - the victim's kas configuration must include a configuration file from the attacked repository - the repository state is referenced by tag, and no commit ID is specified (this is triggering a warning, though) - the key used for validating the tag or commit signature is stored as file in a repository - no fingerprint for the key is specified - the _source_dir key must not be set by the victim when calling kas (e.g. by avoiding a local .config.yaml)

    Given these conditions, the attacker could modify the included kas configuration in way that the key used to validate the tag signature of the attacker's repository could be replaced by an attacker-chosen key.

    No other exploit possibilities have been identified so far, but this does not rule out that those may exist.

    Patches

    The vulnerability was introduced with a2480fe59b6421eb96cf3bd86527ae6e412a331e, commit https://github.com/siemens/kas/commit/5b2114becfc154b16ef496d24f8c2191a2297f57 is resolving this issue. A misuse of _source_dir is resolved by commit https://github.com/siemens/kas/commit/c443c0a1fd0f9bd6a689a44d95a252085fc6da88. Shadowing a commit by a branch of the same name is described in advisory https://github.com/siemens/kas/security/advisories/GHSA-qjwp-hrq6-r26r and is addressed by commit https://github.com/siemens/kas/commit/4cb4a3d01122ffaec9feaae768a5814092f6f9b5. All patches have been released along with kas version 5.3.

    Workarounds

    Pin the expected signature key via its fingerprint, also when storing it as file in a repository.

    Impacted products
    Name purl
    kas pkg:pypi/kas

    {
      "affected": [
        {
          "package": {
            "ecosystem": "PyPI",
            "name": "kas",
            "purl": "pkg:pypi/kas"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "4.8"
                },
                {
                  "fixed": "5.3"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ],
          "versions": [
            "4.8",
            "4.8.1",
            "4.8.2",
            "5.0",
            "5.1",
            "5.2"
          ]
        }
      ],
      "aliases": [
        "CVE-2026-47192",
        "GHSA-4vqc-wpwg-vh7j"
      ],
      "details": "### Impact\nSo far, kas checks out and processes repositories regarding configuration includes prior to validating signatures of those repositories. This may allow to replace on original repository with one under the control of an attacker under very specific conditions.\n\nFirst of all, the attacker must have gained control of a repository that a kas file of the victim is referencing. Furthermore, the following conditions must be fulfilled:\n - the victim\u0027s kas configuration must include a configuration file from the attacked repository\n - the repository state is referenced by tag, and no commit ID is specified (this is triggering a warning, though)\n - the key used for validating the tag or commit signature is stored as file in a repository\n - no fingerprint for the key is specified\n - the  `_source_dir` key must not be set by the victim when calling kas (e.g. by avoiding a local `.config.yaml`)\n\nGiven these conditions, the attacker could modify the included kas configuration in way that the key used to validate the tag signature of the attacker\u0027s repository could be replaced by an attacker-chosen key.\n\nNo other exploit possibilities have been identified so far, but this does not rule out that those may exist.\n\n### Patches\nThe vulnerability was introduced with a2480fe59b6421eb96cf3bd86527ae6e412a331e, commit https://github.com/siemens/kas/commit/5b2114becfc154b16ef496d24f8c2191a2297f57 is resolving this issue. A misuse of `_source_dir` is resolved by commit https://github.com/siemens/kas/commit/c443c0a1fd0f9bd6a689a44d95a252085fc6da88. Shadowing a commit by a branch of the same name is described in advisory https://github.com/siemens/kas/security/advisories/GHSA-qjwp-hrq6-r26r and is addressed by commit https://github.com/siemens/kas/commit/4cb4a3d01122ffaec9feaae768a5814092f6f9b5. All patches have been released along with kas version 5.3.\n\n### Workarounds\nPin the expected signature key via its fingerprint, also when storing it as file in a repository.",
      "id": "PYSEC-2026-2543",
      "modified": "2026-07-13T16:04:24.650495Z",
      "published": "2026-07-13T15:46:14.624742Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/siemens/kas/security/advisories/GHSA-4vqc-wpwg-vh7j"
        },
        {
          "type": "WEB",
          "url": "https://github.com/siemens/kas/security/advisories/GHSA-qjwp-hrq6-r26r"
        },
        {
          "type": "WEB",
          "url": "https://github.com/siemens/kas/commit/4cb4a3d01122ffaec9feaae768a5814092f6f9b5"
        },
        {
          "type": "WEB",
          "url": "https://github.com/siemens/kas/commit/5b2114becfc154b16ef496d24f8c2191a2297f57"
        },
        {
          "type": "PACKAGE",
          "url": "https://github.com/siemens/kas"
        },
        {
          "type": "PACKAGE",
          "url": "https://pypi.org/project/kas"
        },
        {
          "type": "ADVISORY",
          "url": "https://github.com/advisories/GHSA-4vqc-wpwg-vh7j"
        },
        {
          "type": "ADVISORY",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47192"
        }
      ],
      "severity": [
        {
          "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "type": "CVSS_V4"
        }
      ],
      "summary": "kas\u0027s late signature validation may allow unnoticed repository manipulations"
    }
    ubuntu-cve-2026-47192
    Vulnerability from osv_ubuntu
    Published
    2026-06-02 00:00
    Modified
    2026-06-02 00:00
    Summary
    Details

    [Unknown description]

    Severity
    N/A (UNKNOWN)

    {
      "affected": [
        {
          "ecosystem_specific": {
            "binaries": [
              {
                "binary_name": "kas",
                "binary_version": "2.6.3-2"
              }
            ]
          },
          "package": {
            "ecosystem": "Ubuntu:22.04:LTS",
            "name": "kas",
            "purl": "pkg:deb/ubuntu/kas@2.6.3-2?arch=source\u0026distro=jammy"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ],
          "versions": [
            "2.3.3-2",
            "2.5-1",
            "2.6.3-2"
          ]
        },
        {
          "ecosystem_specific": {
            "binaries": [
              {
                "binary_name": "kas",
                "binary_version": "4.0-1"
              }
            ]
          },
          "package": {
            "ecosystem": "Ubuntu:24.04:LTS",
            "name": "kas",
            "purl": "pkg:deb/ubuntu/kas@4.0-1?arch=source\u0026distro=noble"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ],
          "versions": [
            "4.0-1"
          ]
        },
        {
          "ecosystem_specific": {
            "binaries": [
              {
                "binary_name": "kas",
                "binary_version": "4.8.1-2"
              }
            ]
          },
          "package": {
            "ecosystem": "Ubuntu:25.10",
            "name": "kas",
            "purl": "pkg:deb/ubuntu/kas@4.8.1-2?arch=source\u0026distro=questing"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ],
          "versions": [
            "4.7-1",
            "4.8.1-1",
            "4.8.1-2"
          ]
        },
        {
          "ecosystem_specific": {
            "binaries": [
              {
                "binary_name": "kas",
                "binary_version": "5.1-1"
              }
            ]
          },
          "package": {
            "ecosystem": "Ubuntu:26.04:LTS",
            "name": "kas",
            "purl": "pkg:deb/ubuntu/kas@5.1-1?arch=source\u0026distro=resolute"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ],
          "versions": [
            "4.8.1-2",
            "5.0-1",
            "5.1-1"
          ]
        }
      ],
      "aliases": [],
      "details": "[Unknown description]",
      "id": "UBUNTU-CVE-2026-47192",
      "modified": "2026-06-02T00:00:00Z",
      "published": "2026-06-02T00:00:00Z",
      "references": [
        {
          "type": "REPORT",
          "url": "https://ubuntu.com/security/CVE-2026-47192"
        },
        {
          "type": "REPORT",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47192"
        },
        {
          "type": "REPORT",
          "url": "https://github.com/siemens/kas/security/advisories/GHSA-4vqc-wpwg-vh7j"
        },
        {
          "type": "REPORT",
          "url": "https://github.com/siemens/kas/commit/5b2114becfc154b16ef496d24f8c2191a2297f57"
        }
      ],
      "related": [],
      "schema_version": "1.7.0",
      "severity": [
        {
          "score": "medium",
          "type": "Ubuntu"
        }
      ],
      "upstream": [
        "CVE-2026-47192"
      ]
    }