Headline
GHSA-9p26-698r-w4hx: BuildKit vulnerable to possible panic when incorrect parameters sent from frontend
Impact
A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic.
Patches
The issue has been fixed in v0.12.5
Workarounds
Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the #syntax
line on your Dockerfile, or with --frontend
flag when using buildctl build
command.
References
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-23650
BuildKit vulnerable to possible panic when incorrect parameters sent from frontend
Moderate severity GitHub Reviewed Published Jan 31, 2024 in moby/buildkit • Updated Jan 31, 2024
Package
gomod github.com/moby/buildkit (Go)
Affected versions
< 0.12.5
Impact
A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic.
Patches
The issue has been fixed in v0.12.5
Workarounds
Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the #syntax line on your Dockerfile, or with --frontend flag when using buildctl build command.
References****References
- GHSA-9p26-698r-w4hx
- moby/buildkit#4601
Published to the GitHub Advisory Database
Jan 31, 2024
Last updated
Jan 31, 2024
Related news
Gentoo Linux Security Advisory 202409-29 - Multiple vulnerabilities have been discovered in Docker, the worst of which could result in denial of service. Versions greater than or equal to 25.0.4 are affected.