CVE-2024-23650 - OpenCVE

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mobyproject	Buildkit
Redhat	Enterprise Linux

Configuration 1 [-]

cpe:2.3:a:mobyproject:buildkit:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
container-tools:rhel8-8100020240227110532.82888897	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:2988	2024-05-22T00:00:00Z

References

Link	Providers
https://github.com/moby/buildkit/pull/4601
https://github.com/moby/buildkit/releases/tag/v0.12.5
https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx
https://nvd.nist.gov/vuln/detail/CVE-2024-23650
https://www.cve.org/CVERecord?id=CVE-2024-23650

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-31T21:42:13.382Z

Updated: 2024-08-01T23:06:25.309Z

Reserved: 2024-01-19T00:18:53.234Z

Link: CVE-2024-23650

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-31T22:15:53.990

Modified: 2024-02-09T01:38:44.823

Link: CVE-2024-23650

Redhat

Severity : Moderate

Publid Date: 2024-01-31T00:00:00Z

Links: CVE-2024-23650 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23650", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-19T00:18:53.234Z", "datePublished": "2024-01-31T21:42:13.382Z", "dateUpdated": "2024-08-01T23:06:25.309Z"}, "containers": {"cna": {"title": "BuildKit possible panic when incorrect parameters sent from frontend", "problemTypes": [{"descriptions": [{"cweId": "CWE-754", "lang": "en", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx"}, {"name": "https://github.com/moby/buildkit/pull/4601", "tags": ["x_refsource_MISC"], "url": "https://github.com/moby/buildkit/pull/4601"}, {"name": "https://github.com/moby/buildkit/releases/tag/v0.12.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/moby/buildkit/releases/tag/v0.12.5"}], "affected": [{"vendor": "moby", "product": "buildkit", "versions": [{"version": "< 0.12.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-31T21:42:13.382Z"}, "descriptions": [{"lang": "en", "value": "BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.\n"}], "source": {"advisory": "GHSA-9p26-698r-w4hx", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:06:25.309Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx"}, {"name": "https://github.com/moby/buildkit/pull/4601", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/moby/buildkit/pull/4601"}, {"name": "https://github.com/moby/buildkit/releases/tag/v0.12.5", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/moby/buildkit/releases/tag/v0.12.5"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mobyproject:buildkit:*:*:*:*:*:*:*:*", "matchCriteriaId": "0AAE2F08-4E4D-4B85-8230-8D5BA7788D3D", "versionEndExcluding": "0.12.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.\n"}, {"lang": "es", "value": "BuildKit es un conjunto de herramientas para convertir c\u00f3digo fuente para crear artefactos de manera eficiente, expresiva y repetible. Un cliente o interfaz de BuildKit malicioso podr\u00eda crear una solicitud que podr\u00eda provocar que el daemon BuildKit se bloquee en p\u00e1nico. El problema se solucion\u00f3 en v0.12.5. Como workaround, evite utilizar interfaces BuildKit de fuentes que no sean de confianza."}], "id": "CVE-2024-23650", "lastModified": "2024-02-09T01:38:44.823", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-31T22:15:53.990", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/moby/buildkit/pull/4601"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Release Notes"], "url": "https://github.com/moby/buildkit/releases/tag/v0.12.5"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-754"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:2988", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "container-tools:rhel8-8100020240227110532.82888897", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}], "bugzilla": {"description": "moby/buildkit: Possible race condition with accessing subpaths from cache mounts", "id": "2262272", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262272"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-754", "details": ["BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.", "A vulnerability was found in the Moby Builder Toolkit. A malicious BuildKit client or any frontend that can craft a request could lead to the BuildKit daemon crashing with a panic due to the lack of input validation. A frontend is usually specified as the #syntax line on a Dockerfile or with the --frontend flag when using the buildctl build command."], "mitigation": {"lang": "en:us", "value": "Avoid using untrusted input for the client or frontend syntax to minimize the vulnerability exploration."}, "name": "CVE-2024-23650", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "odo", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "openshift-serverless-1/client-kn-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "openshift-serverless-clients", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-service-mesh/istio-cni-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Not affected", "package_name": "openshift-clients", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "openshift-clients", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "podman", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift-clients", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "fix_state": "Affected", "package_name": "devspaces/traefik-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-builder-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2024-01-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-23650\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-23650\nhttps://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx"], "threat_severity": "Moderate", "upstream_fix": "buildkit 0.12.5"}