CVE-2024-24557 : Moby is an open-source project created by Docker to enable software containeriza

Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.

Published 2024-02-01 17:15:11

Updated 2024-02-09 20:21:33

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2024-24557

Mobyproject » Moby
Versions before (<) 24.0.9
cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*
Matching versions
Mobyproject » Moby
Versions from including (>=) 25.0.0 and before (<) 25.0.2
cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2024-24557

EPSS FAQ

0.05%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 16 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-24557

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST	2024-02-09
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
6.9	MEDIUM	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L	1.0	5.3	GitHub, Inc.	2024-02-01
Attack Vector: Local Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: High Availability: Low

CWE ids for CVE-2024-24557

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Assigned by: security-advisories@github.com (Secondary)
CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2024-24557

https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae

Merge pull request from GHSA-xw73-rw38-6vjc · moby/moby@3e230cf · GitHub
Patch
https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc

Classic builder cache poisoning · Advisory · moby/moby · GitHub
Vendor Advisory

Jump to

Vulnerability Details : CVE-2024-24557

Products affected by CVE-2024-24557

Exploit prediction scoring system (EPSS) score for CVE-2024-24557

CVSS scores for CVE-2024-24557

CWE ids for CVE-2024-24557

References for CVE-2024-24557