logo

Database

Asymmetric denial of service In github.com/moby/buildkit

Description

BuildKit vulnerable to possible panic when incorrect parameters sent from frontend

Impact

A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic.

Patches

The issue has been fixed in v0.12.5

Workarounds

Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the #syntax line on your Dockerfile, or with --frontend flag when using buildctl build command.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-236502. NVD-2024-236503. OSV-2024-236504. GHSA-9p26-698r-w4hx5. GCVE-2024-23650

References

1. https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx2. https://github.com/moby/buildkit/pull/46013. https://github.com/moby/buildkit/commit/481d9c45f473c58537f39694a38d7995cc6569874. https://github.com/moby/buildkit/commit/7718bd5c3dc8fc5cd246a30cc41766e7a53c043c5. https://github.com/moby/buildkit/commit/83edaef59d545b93e2750f1f85675a3764593fee6. https://github.com/moby/buildkit/commit/96663dd35bf3787d7efb1ee7fd9ac7fe533582ae7. https://github.com/moby/buildkit/commit/e1924dc32da35bfb0bfdbb9d0fc7bca25e5523308. https://github.com/moby/buildkit/releases/tag/v0.12.5

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.