GoogleOSV:GO-2024-2492

HistoryFeb 12, 2024 - 6:45 p.m.

Panic in github.com/moby/buildkit

2024-02-1218:45:38

Google

osv.dev

malicious request

crash

buildkit daemon

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

20.6%

JSON

A malicious BuildKit client or frontend could craft a request that could lead to a BuildKit daemon crashing with a panic.

CPENameOperatorVersion
github.com/moby/buildkitlt0.12.5

CPE	Name	Operator	Version
	github.com/moby/buildkit	lt	0.12.5

References

github.com/moby/buildkit/commit/481d9c45f473c58537f39694a38d7995cc656987

github.com/moby/buildkit/commit/7718bd5c3dc8fc5cd246a30cc41766e7a53c043c

github.com/moby/buildkit/commit/83edaef59d545b93e2750f1f85675a3764593fee

github.com/moby/buildkit/commit/96663dd35bf3787d7efb1ee7fd9ac7fe533582ae

github.com/moby/buildkit/commit/e1924dc32da35bfb0bfdbb9d0fc7bca25e552330

github.com/moby/buildkit/pull/4601

github.com/moby/buildkit/releases/tag/v0.12.5

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

20.6%

JSON

Related for OSV:GO-2024-2492