{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-26054", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-02-17T22:44:03.151Z", "datePublished": "2023-03-06T18:05:07.602Z", "dateUpdated": "2024-08-02T11:39:06.521Z"}, "containers": {"cna": {"title": "Credentials inlined to Git URLs could end up in provenance attestation in BuildKit", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/moby/buildkit/security/advisories/GHSA-gc89-7gcr-jxqc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/moby/buildkit/security/advisories/GHSA-gc89-7gcr-jxqc"}, {"name": "https://github.com/moby/buildkit/commit/75123c696506bdbca1ed69906479e200f1b62604", "tags": ["x_refsource_MISC"], "url": "https://github.com/moby/buildkit/commit/75123c696506bdbca1ed69906479e200f1b62604"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"}], "affected": [{"vendor": "moby", "product": "buildkit", "versions": [{"version": ">= 0.10.0, < 0.11.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-06T18:05:07.602Z"}, "descriptions": [{"lang": "en", "value": "BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In affected versions when the user sends a build request that contains a Git URL that contains credentials and the build creates a provenance attestation describing that build, these credentials could be visible from the provenance attestation. Git URL can be passed in two ways: 1) Invoking build directly from a URL with credentials. 2) If the client sends additional version control system (VCS) info hint parameters on builds from a local source. Usually, that would mean reading the origin URL from `.git/config` file. When a build is performed under specific conditions where credentials were passed to BuildKit they may be visible to everyone who has access to provenance attestation. Provenance attestations and VCS info hints were added in version v0.11.0. Previous versions are not vulnerable. In v0.10, when building directly from Git URL, the same URL could be visible in `BuildInfo` structure that is a predecessor of Provenance attestations. Previous versions are not vulnerable. This bug has been fixed in v0.11.4. Users are advised to upgrade. Users unable to upgrade may disable VCS info hints by setting `BUILDX_GIT_INFO=0`. `buildctl` does not set VCS hints based on `.git` directory, and values would need to be passed manually with `--opt`."}], "source": {"advisory": "GHSA-gc89-7gcr-jxqc", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:39:06.521Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/moby/buildkit/security/advisories/GHSA-gc89-7gcr-jxqc", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/moby/buildkit/security/advisories/GHSA-gc89-7gcr-jxqc"}, {"name": "https://github.com/moby/buildkit/commit/75123c696506bdbca1ed69906479e200f1b62604", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/moby/buildkit/commit/75123c696506bdbca1ed69906479e200f1b62604"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mobyproject:buildkit:*:*:*:*:*:*:*:*", "matchCriteriaId": "B20CBA03-7DD3-4756-AE19-BE0B45272C1F", "versionEndExcluding": "0.11.4", "versionStartIncluding": "0.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In affected versions when the user sends a build request that contains a Git URL that contains credentials and the build creates a provenance attestation describing that build, these credentials could be visible from the provenance attestation. Git URL can be passed in two ways: 1) Invoking build directly from a URL with credentials. 2) If the client sends additional version control system (VCS) info hint parameters on builds from a local source. Usually, that would mean reading the origin URL from `.git/config` file. When a build is performed under specific conditions where credentials were passed to BuildKit they may be visible to everyone who has access to provenance attestation. Provenance attestations and VCS info hints were added in version v0.11.0. Previous versions are not vulnerable. In v0.10, when building directly from Git URL, the same URL could be visible in `BuildInfo` structure that is a predecessor of Provenance attestations. Previous versions are not vulnerable. This bug has been fixed in v0.11.4. Users are advised to upgrade. Users unable to upgrade may disable VCS info hints by setting `BUILDX_GIT_INFO=0`. `buildctl` does not set VCS hints based on `.git` directory, and values would need to be passed manually with `--opt`."}, {"lang": "es", "value": "BuildKit es un conjunto de herramientas para convertir c\u00f3digo fuente para crear artefactos de manera eficiente, expresiva y repetible. En las versiones afectadas, cuando el usuario env\u00eda una solicitud de compilaci\u00f3n que contiene una URL de Git que contiene credenciales y la compilaci\u00f3n crea una atestaci\u00f3n de procedencia que describe esa compilaci\u00f3n, estas credenciales podr\u00edan ser visibles desde la atestaci\u00f3n de procedencia. La URL de Git se puede pasar de dos maneras: 1) Invocando la compilaci\u00f3n directamente desde una URL con credenciales. 2) Si el cliente env\u00eda par\u00e1metros de sugerencias de informaci\u00f3n del sistema de control de versiones (VCS) adicionales en compilaciones desde una fuente local. Por lo general, eso significar\u00eda leer la URL de origen del archivo `.git/config`. Cuando se realiza una compilaci\u00f3n en condiciones espec\u00edficas en las que se pasaron credenciales a BuildKit, es posible que sean visibles para todos los que tengan acceso a la certificaci\u00f3n de procedencia. En la versi\u00f3n v0.11.0 se agregaron certificaciones de procedencia y sugerencias de informaci\u00f3n de VCS. Las versiones anteriores no son vulnerables. En la versi\u00f3n 0.10, al compilar directamente desde la URL de Git, la misma URL podr\u00eda ser visible en la estructura `BuildInfo` que es una predecesora de las certificaciones de procedencia. Las versiones anteriores no son vulnerables. Este error se ha solucionado en v0.11.4. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden desactivar las sugerencias de informaci\u00f3n de VCS configurando `BUILDX_GIT_INFO=0`. `buildctl` no establece sugerencias de VCS basadas en el directorio `.git` y los valores deber\u00edan pasarse manualmente con `--opt`."}], "id": "CVE-2023-26054", "lastModified": "2023-09-15T21:15:09.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-03-06T19:15:10.390", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/moby/buildkit/commit/75123c696506bdbca1ed69906479e200f1b62604"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/moby/buildkit/security/advisories/GHSA-gc89-7gcr-jxqc"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:3537", "cpe": "cpe:/a:redhat:openshift:4.13::el8", "package": "openshift4/ose-docker-builder:v4.13.0-202306050632.p0.gd02643e.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.13", "release_date": "2023-06-13T00:00:00Z"}, {"advisory": "RHSA-2023:5952", "cpe": "cpe:/a:redhat:service_mesh:2.4::el8", "package": "openshift-service-mesh/grafana-rhel8:2.4.4-2", "product_name": "Red Hat OpenShift Service Mesh 2.4 for RHEL 8", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:5952", "cpe": "cpe:/a:redhat:service_mesh:2.4::el8", "package": "openshift-service-mesh/istio-cni-rhel8:2.4.4-5", "product_name": "Red Hat OpenShift Service Mesh 2.4 for RHEL 8", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:5952", "cpe": "cpe:/a:redhat:service_mesh:2.4::el8", "package": "openshift-service-mesh/istio-must-gather-rhel8:2.4.4-3", "product_name": "Red Hat OpenShift Service Mesh 2.4 for RHEL 8", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:5952", "cpe": "cpe:/a:redhat:service_mesh:2.4::el8", "package": "openshift-service-mesh/istio-rhel8-operator:2.4.4-6", "product_name": "Red Hat OpenShift Service Mesh 2.4 for RHEL 8", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:5952", "cpe": "cpe:/a:redhat:service_mesh:2.4::el8", "package": "openshift-service-mesh/kiali-rhel8:1.65.9-4", "product_name": "Red Hat OpenShift Service Mesh 2.4 for RHEL 8", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:5952", "cpe": "cpe:/a:redhat:service_mesh:2.4::el8", "package": "openshift-service-mesh/kiali-rhel8-operator:1.65.9-1", "product_name": "Red Hat OpenShift Service Mesh 2.4 for RHEL 8", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:5952", "cpe": "cpe:/a:redhat:service_mesh:2.4::el8", "package": "openshift-service-mesh/pilot-rhel8:2.4.4-5", "product_name": "Red Hat OpenShift Service Mesh 2.4 for RHEL 8", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:5952", "cpe": "cpe:/a:redhat:service_mesh:2.4::el8", "package": "openshift-service-mesh/proxyv2-rhel8:2.4.4-5", "product_name": "Red Hat OpenShift Service Mesh 2.4 for RHEL 8", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:5952", "cpe": "cpe:/a:redhat:service_mesh:2.4::el8", "package": "openshift-service-mesh/ratelimit-rhel8:2.4.4-2", "product_name": "Red Hat OpenShift Service Mesh 2.4 for RHEL 8", "release_date": "2023-10-19T00:00:00Z"}], "bugzilla": {"description": "buildkit: Data disclosure in provenance attestation describing a build", "id": "2176447", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2176447"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In affected versions when the user sends a build request that contains a Git URL that contains credentials and the build creates a provenance attestation describing that build, these credentials could be visible from the provenance attestation. Git URL can be passed in two ways: 1) Invoking build directly from a URL with credentials. 2) If the client sends additional version control system (VCS) info hint parameters on builds from a local source. Usually, that would mean reading the origin URL from `.git/config` file. When a build is performed under specific conditions where credentials were passed to BuildKit they may be visible to everyone who has access to provenance attestation. Provenance attestations and VCS info hints were added in version v0.11.0. Previous versions are not vulnerable. In v0.10, when building directly from Git URL, the same URL could be visible in `BuildInfo` structure that is a predecessor of Provenance attestations. Previous versions are not vulnerable. This bug has been fixed in v0.11.4. Users are advised to upgrade. Users unable to upgrade may disable VCS info hints by setting `BUILDX_GIT_INFO=0`. `buildctl` does not set VCS hints based on `.git` directory, and values would need to be passed manually with `--opt`.", "A flaw was found in the moby buildkit. When a build is performed under specific conditions where credentials were passed to BuildKit, it may be visible to everyone with access to provenance attestation."], "name": "CVE-2023-26054", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "openshift-serverless-1/client-kn-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/oc-mirror-plugin-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-tools-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-builder-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2023-03-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-26054\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-26054\nhttps://github.com/moby/buildkit/security/advisories/GHSA-gc89-7gcr-jxqc"], "threat_severity": "Moderate", "upstream_fix": "buildkit 0.11.4"}