CVE-2024-23650

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/moby/buildkit/pull/4601	Patch Vendor Advisory
https://github.com/moby/buildkit/releases/tag/v0.12.5	Patch Release Notes
https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mobyproject:buildkit:*:*:*:*:*:*:*:*

History

09 Feb 2024, 01:38

Type	Values Removed	Values Added
First Time		Mobyproject Mobyproject buildkit
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
References	~~() https://github.com/moby/buildkit/releases/tag/v0.12.5 -~~	() https://github.com/moby/buildkit/releases/tag/v0.12.5 - Patch, Release Notes
References	~~() https://github.com/moby/buildkit/pull/4601 -~~	() https://github.com/moby/buildkit/pull/4601 - Patch, Vendor Advisory
References	~~() https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx -~~	() https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx - Vendor Advisory
CPE		cpe:2.3:a:mobyproject:buildkit::::::::

31 Jan 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-31 22:15

Updated : 2024-02-28 20:54

NVD link : CVE-2024-23650

Mitre link : CVE-2024-23650

CVE.ORG link : CVE-2024-23650

JSON object : View

Products Affected

mobyproject

buildkit

CWE

CWE-754

Improper Check for Unusual or Exceptional Conditions

{"id": "CVE-2024-23650", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-01-31T22:15:53.990", "references": [{"url": "https://github.com/moby/buildkit/pull/4601", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/moby/buildkit/releases/tag/v0.12.5", "tags": ["Patch", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-754"}]}], "descriptions": [{"lang": "en", "value": "BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.\n"}, {"lang": "es", "value": "BuildKit es un conjunto de herramientas para convertir c\u00f3digo fuente para crear artefactos de manera eficiente, expresiva y repetible. Un cliente o interfaz de BuildKit malicioso podr\u00eda crear una solicitud que podr\u00eda provocar que el daemon BuildKit se bloquee en p\u00e1nico. El problema se solucion\u00f3 en v0.12.5. Como workaround, evite utilizar interfaces BuildKit de fuentes que no sean de confianza."}], "lastModified": "2024-02-09T01:38:44.823", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mobyproject:buildkit:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0AAE2F08-4E4D-4B85-8230-8D5BA7788D3D", "versionEndExcluding": "0.12.5"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}