CVE-2024-24557

Moby classic builder cache poisoning

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.

Moby es un proyecto de código abierto creado por Docker para permitir la contenedorización de software. El sistema de caché del constructor clásico es propenso a envenenar el caché si la imagen se crea DESDE scratch. Además, los cambios en algunas instrucciones (las más importantes son HEALTHCHECK y ONBUILD) no provocarían una pérdida de caché. Un atacante con conocimiento del Dockerfile que alguien está usando podría envenenar su caché al obligarlo a extraer una imagen especialmente manipulada que se consideraría como un candidato de caché válido para algunos pasos de compilación. Los usuarios de 23.0+ solo se ven afectados si optaron explícitamente por no participar en Buildkit (variable de entorno DOCKER_BUILDKIT=0) o si están usando el endpoint API /build. Todos los usuarios con versiones anteriores a la 23.0 podrían verse afectados. El punto final de la API de creación de imágenes (/build) y la función ImageBuild de github.com/docker/docker/client también se ven afectados ya que utiliza el generador clásico de forma predeterminada. Los parches se incluyen en las versiones 24.0.9 y 25.0.2.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-01-25 CVE Reserved
2024-02-01 CVE Published
2024-02-10 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-345: Insufficient Verification of Data Authenticity
CWE-346: Origin Validation Error

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae	2024-02-09

URL	Date	SRC
https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc	2024-02-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mobyproject Search vendor "Mobyproject"		Moby Search vendor "Mobyproject" for product "Moby"				< 24.0.9 Search vendor "Mobyproject" for product "Moby" and version " < 24.0.9"		-		Affected
Mobyproject Search vendor "Mobyproject"		Moby Search vendor "Mobyproject" for product "Moby"				>= 25.0.0 < 25.0.2 Search vendor "Mobyproject" for product "Moby" and version " >= 25.0.0 < 25.0.2"		-		Affected