CVE-2024-24557

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-24557

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-24557.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-24557

Aliases

Related

Published

2024-02-01T17:15:10Z

Modified

2024-11-01T14:48:51.298777Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.

References

Affected packages

Debian:11 / docker.io

Package

Name: docker.io
Purl: pkg:deb/debian/docker.io?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.10.5+dfsg1-1

20.10.5+dfsg1-1+deb11u1

20.10.5+dfsg1-1+deb11u2

20.10.5+dfsg1-1+deb11u3

20.10.8+dfsg1-1

20.10.8+dfsg1-2

20.10.10+dfsg1-1

20.10.11+dfsg1-1

20.10.11+dfsg1-2

20.10.14+dfsg1-1

20.10.17+dfsg1-1

20.10.19+dfsg1-1

20.10.21+dfsg1-1

20.10.22+dfsg1-1

20.10.22+dfsg1-2

20.10.23+dfsg1-1

20.10.24+dfsg1-1

20.10.25+dfsg1-1

20.10.25+dfsg1-2

20.10.25+dfsg1-3

20.10.25+dfsg1-4

26.*

26.1.4+dfsg1-1

26.1.4+dfsg1-2

26.1.4+dfsg1-3

26.1.4+dfsg1-4

26.1.4+dfsg1-5

26.1.4+dfsg1-6

26.1.4+dfsg1-7

26.1.4+dfsg1-8

26.1.4+dfsg1-9

26.1.4+dfsg2-1

26.1.4+dfsg3-1

26.1.5+dfsg1-1

26.1.5+dfsg1-2

26.1.5+dfsg1-3

26.1.5+dfsg1-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / docker.io

Package

Name: docker.io
Purl: pkg:deb/debian/docker.io?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.10.24+dfsg1-1

20.10.24+dfsg1-1+deb12u1

20.10.25+dfsg1-1

20.10.25+dfsg1-2

20.10.25+dfsg1-3

20.10.25+dfsg1-4

26.*

26.1.4+dfsg1-1

26.1.4+dfsg1-2

26.1.4+dfsg1-3

26.1.4+dfsg1-4

26.1.4+dfsg1-5

26.1.4+dfsg1-6

26.1.4+dfsg1-7

26.1.4+dfsg1-8

26.1.4+dfsg1-9

26.1.4+dfsg2-1

26.1.4+dfsg3-1

26.1.5+dfsg1-1

26.1.5+dfsg1-2

26.1.5+dfsg1-3

26.1.5+dfsg1-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / docker.io

Package

Name: docker.io
Purl: pkg:deb/debian/docker.io?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

26.1.4+dfsg1-9

Affected versions

20.*

20.10.24+dfsg1-1

20.10.25+dfsg1-1

20.10.25+dfsg1-2

20.10.25+dfsg1-3

20.10.25+dfsg1-4

26.*

26.1.4+dfsg1-1

26.1.4+dfsg1-2

26.1.4+dfsg1-3

26.1.4+dfsg1-4

26.1.4+dfsg1-5

26.1.4+dfsg1-6

26.1.4+dfsg1-7

26.1.4+dfsg1-8

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/moby/moby

Affected ranges

Type: GIT
Repo: https://github.com/moby/moby
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3e230cfdcc989dc524882f6579f9e0dac77400ae

Affected versions

0.*

0.0.3

Other

autorun/1

docs-v1.*

docs-v1.12.0-rc4-2016-07-15

upstream/0.*

upstream/0.1.1

upstream/0.1.2

upstream/0.1.3

upstream/0.1.4

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v0.1.7

v0.1.8

v0.10.0

v0.11.0

v0.11.1

v0.12.0

v0.2.0

v0.2.1

v0.2.2

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.4.6

v0.4.7

v0.4.8

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.6.5

v0.6.6

v0.6.7

v0.7.0

v0.7.0-rc5

v0.7.0-rc6

v0.7.1

v0.7.2

v0.7.3

v0.7.4

v0.7.5

v0.7.6

v0.8.0

v0.8.1

v0.9.0

v1.*

v1.0.0

v1.0.1

v1.1.0

v1.1.1

v1.1.2

v1.2.0

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.4.0

v1.4.1

v17.*

v17.12.0-ce-rc1

v18.*

v18.04.0-ce-rc1

v18.06.0-ce-rc1

v18.09.0-ce-tp0

v19.*

v19.03.0-beta1

v19.03.0-beta2

v19.03.0-beta3

v20.*

v20.10.0

v20.10.0-beta1

v20.10.0-rc1

v20.10.0-rc2

v20.10.1

v20.10.2

v22.*

v22.06.0-beta.0

v24.*

v24.0.0-beta.1

v24.0.0-beta.2

v24.0.0-rc.1

v24.0.0-rc.2

v25.*

v25.0.0

v25.0.0-beta.1

v25.0.0-beta.2

v25.0.0-beta.3

v25.0.0-rc.1

v25.0.0-rc.2

v25.0.0-rc.3