Remote Code Execution Due to Untrusted APK Packages in Dockerfile

Critical Risk Infrastructure Security
dockerapksupply-chainrcepackage-integrity

What it is

Attackers could introduce tampered packages that execute malicious code during build or runtime, compromising containers, pipelines, and dependent images.

Why it happens

Adding custom or community APK repositories without verifying their trustworthiness in Dockerfiles.

Root causes

Untrusted APK Repositories

Adding custom or community APK repositories without verifying their trustworthiness in Dockerfiles.

Disabled Signature Verification

Using apk add --allow-untrusted flag to bypass package signature checks.

Insecure Package Sources

Downloading .apk files directly from HTTP URLs instead of using official Alpine repositories.

Fixes

1

Use Official Alpine Repositories

Only install packages from official Alpine Linux repositories, removing any custom repository additions.

2

Enable Signature Verification

Never use --allow-untrusted flag; ensure all packages have valid signatures from trusted keys.

3

Pin Package Versions

Specify exact package versions (package=version) to ensure reproducible builds and prevent unexpected updates.

Detect This Vulnerability in Your Code

Sourcery automatically identifies remote code execution due to untrusted apk packages in dockerfile and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities