CVE-2024-24557

CWE-345CWE-346CWE-4949 documents7 sources
Severity
7.8HIGH
EPSS
0.1%
top 75.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Docker/dockerGithub.com Moby/mobyMobyproject Moby+1 more
Timeline
PublishedFeb 1
Latest updateJun 28

Description

Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build s

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:LExploitability: 1.0 | Impact: 5.3

Affected Packages5 packages

Gogithub.com/docker/docker25.0.0+incompatible25.0.2+incompatible+3
Debiandocker.io< 26.1.4+dfsg1-9+1
NVDmobyproject/moby25.0.025.0.2+1
Gogithub.com/moby/moby25.0.0+incompatible25.0.2+incompatible+3
CVEListV5moby/moby < 24.0.9, >= 25.0.0, < 25.0.2+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
Classic builder cache poisoning in github.com/docker/docker2024-06-28
GHSA
Classic builder cache poisoning2024-02-01
OSV
CVE-2024-24557: Moby is an open-source project created by Docker to enable software containerization2024-02-01
CVEList
Moby classic builder cache poisoning2024-02-01
OSV
Classic builder cache poisoning2024-02-01

📋Vendor Advisories

3
Microsoft
Moby classic builder cache poisoning2024-02-13
Red Hat
moby: classic builder cache poisoning2024-02-01
Debian
CVE-2024-24557: docker.io - Moby is an open-source project created by Docker to enable software containeriza...2024
CVE-2024-24557 (HIGH CVSS 7.8) | Moby is an open-source project crea | cvebase.io