CVE-2024-23650 — Improper Check for Unusual or Exceptional Conditions in Buildkit

CWE-754 — Improper Check for Unusual or Exceptional Conditions7 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 70.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

13

Moby Buildkit Github.com Moby Buildkit Mobyproject Buildkit +10 more

Timeline

PublishedJan 31

Latest updateFeb 12

Description

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages13 packages

▶CVEListV5moby/buildkit< 0.12.5

▶NVDmobyproject/buildkit< 0.12.5

▶Gogithub.com/moby_buildkit< 0.12.5

▶msrcmsrc/azl3_docker-buildx_0.12.1-1_on_azure_linux_3.0

▶msrcmsrc/azl3_docker-buildx_0.14.0-1_on_azure_linux_3.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

4

OSV

Panic in github.com/moby/buildkit↗2024-02-12

▶

OSV

CVE-2024-23650: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner↗2024-01-31

▶

OSV

BuildKit vulnerable to possible panic when incorrect parameters sent from frontend↗2024-01-31

▶

GHSA

BuildKit vulnerable to possible panic when incorrect parameters sent from frontend↗2024-01-31

▶

📋Vendor Advisories

2

Red Hat

moby/buildkit: Possible race condition with accessing subpaths from cache mounts↗2024-01-31

▶

Microsoft

BuildKit possible panic when incorrect parameters sent from frontend↗2024-01-09

▶