Moby classic builder cache poisoning
CVE-2024-24557

7.8HIGH

Key Information:

Vendor: moby
Status: moby
Vendor: CVE Published:; 1 February 2024

Badges

📰 News Worthy

Summary

The Moby project, a pivotal component in the Docker ecosystem for software containerization, is vulnerable to cache poisoning when building images from scratch. This vulnerability mainly arises due to the classic builder cache system, where certain changes in build instructions, such as HEALTHCHECK and ONBUILD, do not trigger a cache miss. By exploiting this flaw, an attacker well-versed in the Dockerfile in use can introduce a malicious image that masquerades as a valid cache candidate. Users of Moby versions 23.0 and above are at risk only if they have disabled Buildkit or are utilizing the /build API endpoint. Notably, all users with versions older than 23.0 may also be affected. Mitigations and patches for this critical issue have been incorporated into Moby updates 24.0.9 and 25.0.2.

Affected Version(s)

moby >= 25.0.0, < 25.0.2 < 25.0.0, 25.0.2

moby < 24.0.9 < 24.0.9

News Articles

Docker

CVE-2024-23650 CVE-2024-24557

Docker Security Advisory: Multiple Vulnerabilities in runc, BuildKit, and Moby | Docker

Docker security advisory about multiple vulnerabilities in runc, BuildKit, and Moby: We will publish patched versions of runc, BuildKit, and Moby on January 31 and release an update for Docker Desktop on February 1 to address these vulnerabilities. Additionally, our latest Moby and BuildKit release...