CVE-2024-23650

BuildKit possible panic when incorrect parameters sent from frontend

CVSS 5.3 MEDIUMEPSS 1.0%CWE-754

In short

A malicious BuildKit client can send specially crafted requests that crash the BuildKit daemon, causing a denial of service. This vulnerability affects systems that use BuildKit with untrusted frontends.

Technical detail

BuildKit daemon crashes due to improper error handling (CWE-754) when receiving malformed parameters from a frontend client. An attacker with the ability to interact with the BuildKit API can trigger an unhandled panic condition, resulting in denial of service. Requires network or local access to the BuildKit daemon.

Summary generated and translated by AI from the official description.

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

moby · buildkit

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/moby/buildkit/pull/4601 https://github.com/moby/buildkit/releases/tag/v0.12.5 https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx