Moby classic builder cache poisoning
CVE-2024-24557

6.9MEDIUM

Key Information:

Vendor

Moby

Status
Vendor
CVE Published:
1 February 2024

Badges

đź“° News Worthy

What is CVE-2024-24557?

The Moby project, a pivotal component in the Docker ecosystem for software containerization, is vulnerable to cache poisoning when building images from scratch. This vulnerability mainly arises due to the classic builder cache system, where certain changes in build instructions, such as HEALTHCHECK and ONBUILD, do not trigger a cache miss. By exploiting this flaw, an attacker well-versed in the Dockerfile in use can introduce a malicious image that masquerades as a valid cache candidate. Users of Moby versions 23.0 and above are at risk only if they have disabled Buildkit or are utilizing the /build API endpoint. Notably, all users with versions older than 23.0 may also be affected. Mitigations and patches for this critical issue have been incorporated into Moby updates 24.0.9 and 25.0.2.

Affected Version(s)

moby >= 25.0.0, < 25.0.2 < 25.0.0, 25.0.2

moby < 24.0.9 < 24.0.9

News Articles

Docker Security Advisory: Multiple Vulnerabilities in runc, BuildKit, and Moby | Docker

Docker security advisory about multiple vulnerabilities in runc, BuildKit, and Moby: We will publish patched versions of runc, BuildKit, and Moby on January 31 and release an update for Docker Desktop on February 1 to address these vulnerabilities.  Additionally, our latest Moby and BuildKit release...

References

CVSS V3.1

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • đź“°

    First article discovered by Docker

  • Vulnerability published

  • Vulnerability Reserved

.