Docker Moby Classic Builder Cache Poisoning (23.x and <23.0, fixed 24.0.9/25.0.2)
CVE-2024-24557 Published on February 1, 2024
Moby classic builder cache poisoning
Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.
Vulnerability Analysis
CVE-2024-24557 can be exploited with local system access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a high impact on integrity, and a small impact on availability.
Weakness Types
Origin Validation Error
The software does not properly verify that the source of data or communication is valid.
Insufficient Verification of Data Authenticity
The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Products Associated with CVE-2024-24557
stack.watch emails you whenever new vulnerabilities are published in Mobyproject Moby or Docker. Just hit a watch button to start following.
Affected Versions
moby:- Version >= 25.0.0, < 25.0.2 is affected.
- Version < 24.0.9 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.