UBUNTU-CVE-2025-0495
- Source
- https://ubuntu.com/security/CVE-2025-0495
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-0495.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-0495
- Related
- Published
- 2025-03-17T20:15:00Z
- Modified
- 2025-04-23T15:06:17Z
- Summary
- [none]
- Details
-
Buildx is a Docker CLI plugin that extends build capabilities using BuildKit. Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry traces as part of the arguments and flags for the traced CLI command. OpenTelemetry traces are also saved in BuildKit daemon's history records. This vulnerability does not impact secrets passed to the Github cache backend via environment variables or registry authentication.
- References
Affected packages
Ubuntu:20.04:LTS / docker-buildx
Package
- Name
- docker-buildx
- Purl
- pkg:deb/ubuntu/docker-buildx@0.14.1-0ubuntu1~20.04.1?arch=source&distro=focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:22.04:LTS / docker-buildx
Package
- Name
- docker-buildx
- Purl
- pkg:deb/ubuntu/docker-buildx@0.14.1-0ubuntu1~22.04.1?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:24.10 / docker-buildx
Package
- Name
- docker-buildx
- Purl
- pkg:deb/ubuntu/docker-buildx@0.14.1-0ubuntu1?arch=source&distro=oracular
Ubuntu:24.04:LTS / docker-buildx
Package
- Name
- docker-buildx
- Purl
- pkg:deb/ubuntu/docker-buildx@0.14.1-0ubuntu1~24.04.1?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected