Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2024-23650

MEDIUM
Published 2024-01-31T21:42:13.382Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-23650. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
5.3
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.001
probability
of exploitation in the wild

There is a 0.1% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.247
Higher than 24.7% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
NONE
Integrity
NONE
Availability
LOW

Description

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

moby

buildkit

Affected Versions:

< 0.12.5
moby

buildkit

Affected Versions:

0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

BuildKit vulnerable to possible panic when incorrect parameters sent from frontend

GHSA-9p26-698r-w4hx

Advisory Details

### Impact A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. ### Patches The issue has been fixed in v0.12.5 ### Workarounds Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the `#syntax` line on your Dockerfile, or with `--frontend` flag when using `buildctl build` command. ### References

Affected Packages

Go github.com/moby/buildkit
ECOSYSTEM: ≥0 <0.12.5

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

WEB https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-23650
WEB https://github.com/moby/buildkit/pull/4601
WEB https://github.com/moby/buildkit/commit/481d9c45f473c58537f39694a38d7995cc656987
WEB https://github.com/moby/buildkit/commit/7718bd5c3dc8fc5cd246a30cc41766e7a53c043c
WEB https://github.com/moby/buildkit/commit/83edaef59d545b93e2750f1f85675a3764593fee
WEB https://github.com/moby/buildkit/commit/96663dd35bf3787d7efb1ee7fd9ac7fe533582ae
WEB https://github.com/moby/buildkit/commit/e1924dc32da35bfb0bfdbb9d0fc7bca25e552330
PACKAGE https://github.com/moby/buildkit
WEB https://github.com/moby/buildkit/releases/tag/v0.12.5

Advisory provided by GitHub Security Advisory Database. Published: January 31, 2024, Modified: March 4, 2024

References

https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx
https://github.com/moby/buildkit/pull/4601
https://github.com/moby/buildkit/releases/tag/v0.12.5
Published: 2024-01-31T21:42:13.382Z
Last Modified: 2024-11-12T20:15:05.078Z
Copied to clipboard!