Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14dzczLXJ3MzgtNnZqY84AA4_x
Classic builder cache poisoning
The classic builder cache system is prone to cache poisoning if the image is built FROM scratch
.
Also, changes to some instructions (most important being HEALTHCHECK
and ONBUILD
) would not cause a cache miss.
An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps.
For example, an attacker could create an image that is considered as a valid cache candidate for:
FROM scratch
MAINTAINER Pawel
when in fact the malicious image used as a cache would be an image built from a different Dockerfile.
In the second case, the attacker could for example substitute a different HEALTCHECK
command.
Impact
23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0
environment variable) or are using the /build
API endpoint (which uses the classic builder by default).
All users on versions older than 23.0 could be impacted. An example could be a CI with a shared cache, or just a regular Docker user pulling a malicious image due to misspelling/typosquatting.
Image build API endpoint (/build
) and ImageBuild
function from github.com/docker/docker/client
is also affected as it the uses classic builder by default.
Patches
Patches are included in Moby releases:
- v25.0.2
- v24.0.9
Workarounds
- Use
--no-cache
or use Buildkit if possible (DOCKER_BUILDKIT=1
, it's default on 23.0+ assuming that the buildx plugin is installed). - Use
Version = types.BuilderBuildKit
orNoCache = true
inImageBuildOptions
forImageBuild
call.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14dzczLXJ3MzgtNnZqY84AA4_x
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: about 1 month ago
CVSS Score: 6.9
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L
Identifiers: GHSA-xw73-rw38-6vjc, CVE-2024-24557
References:
- https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc
- https://nvd.nist.gov/vuln/detail/CVE-2024-24557
- https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae
- https://github.com/moby/moby/commit/fca702de7f71362c8d103073c7e4a1d0a467fadd
- https://github.com/moby/moby/commit/fce6e0ca9bc000888de3daa157af14fa41fcd0ff
- https://github.com/advisories/GHSA-xw73-rw38-6vjc
Blast Radius: 31.8
Affected Packages
go:github.com/docker/docker
Dependent packages: 13,274Dependent repositories: 40,103
Downloads:
Affected Version Ranges: < 24.0.9, >= 25.0.0, < 25.0.2
Fixed in: 24.0.9, 25.0.2
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.10.0, 0.11.0, 0.11.1, 0.12.0, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.13.0, 1.13.1, 20.10.0, 20.10.1, 20.10.2, 20.10.3, 20.10.4, 20.10.5, 20.10.6, 20.10.7, 20.10.8, 20.10.9, 20.10.10, 20.10.11, 20.10.12, 20.10.13, 20.10.14, 20.10.15, 20.10.16, 20.10.17, 20.10.18, 20.10.19, 20.10.20, 20.10.21, 20.10.22, 20.10.23, 20.10.24, 20.10.25, 20.10.26, 20.10.27, 23.0.0, 23.0.1, 23.0.2, 23.0.3, 23.0.4, 23.0.5, 23.0.6, 23.0.7, 23.0.8, 24.0.0, 24.0.1, 24.0.2, 24.0.3, 24.0.4, 24.0.5, 24.0.6, 24.0.7, 25.0.0
All unaffected versions: