Описание
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.
A vulnerability was found in the Moby Builder Toolkit. A malicious BuildKit client or any frontend that can craft a request could lead to the BuildKit daemon crashing with a panic due to the lack of input validation. A frontend is usually specified as the #syntax line on a Dockerfile or with the --frontend flag when using the buildctl build command.
Меры по смягчению последствий
Avoid using untrusted input for the client or frontend syntax to minimize the vulnerability exploration.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Developer Tools and Services | odo | Fix deferred | ||
| OpenShift Serverless | openshift-serverless-1/client-kn-rhel8 | Not affected | ||
| OpenShift Serverless | openshift-serverless-clients | Not affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-cni-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 1.2 | openshift-clients | Not affected | ||
| Red Hat Enterprise Linux 9 | buildah | Not affected | ||
| Red Hat Enterprise Linux 9 | podman | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift-clients | Affected | ||
| Red Hat OpenShift Dev Spaces | devspaces/traefik-rhel8 | Affected | ||
| Red Hat Quay 3 | quay/quay-builder-rhel8 | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.
BuildKit possible panic when incorrect parameters sent from frontend
BuildKit is a toolkit for converting source code to build artifacts in ...
BuildKit vulnerable to possible panic when incorrect parameters sent from frontend
EPSS
5.3 Medium
CVSS3