Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-9p26-698r-w4hx: BuildKit vulnerable to possible panic when incorrect parameters sent from frontend

Impact

A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic.

Patches

The issue has been fixed in v0.12.5

Workarounds

Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the #syntax line on your Dockerfile, or with --frontend flag when using buildctl build command.

References

ghsa
#git#docker
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-23650

BuildKit vulnerable to possible panic when incorrect parameters sent from frontend

Moderate severity GitHub Reviewed Published Jan 31, 2024 in moby/buildkit • Updated Jan 31, 2024

Package

gomod github.com/moby/buildkit (Go)

Affected versions

< 0.12.5

Impact

A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic.

Patches

The issue has been fixed in v0.12.5

Workarounds

Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the #syntax line on your Dockerfile, or with --frontend flag when using buildctl build command.

References****References

  • GHSA-9p26-698r-w4hx
  • moby/buildkit#4601

Published to the GitHub Advisory Database

Jan 31, 2024

Last updated

Jan 31, 2024

Related news

Gentoo Linux Security Advisory 202409-29

Gentoo Linux Security Advisory 202409-29 - Multiple vulnerabilities have been discovered in Docker, the worst of which could result in denial of service. Versions greater than or equal to 25.0.4 are affected.