PT-2023-20454 · Buildctl +2 · Buildctl +2

🗓️ 06 Mar 2023 00:00:00Reported by Positive TechnologiesType

ptsecurity🔗 dbugs.ptsecurity.com👁 1 Views

BuildKit versions 0.11.0–0.11.3 expose credentials in provenance attestations when using a Git URL with credentials; upgrade to 0.11.4 or disable version hints.

Reporter	Title	Published	Views	Family All 49
AlpineLinux	CVE-2023-26054	6 Mar 202318:05	–	alpinelinux
Circl	CVE-2023-26054	6 Mar 202322:13	–	circl
CNNVD	BuildKit 信息泄露漏洞	6 Mar 202300:00	–	cnnvd
CVE	CVE-2023-26054	6 Mar 202318:05	–	cve
Cvelist	CVE-2023-26054 Credentials inlined to Git URLs could end up in provenance attestation in BuildKit	6 Mar 202318:05	–	cvelist
EUVD	EUVD-2023-1011	3 Oct 202520:07	–	euvd
Fedora	[SECURITY] Fedora 38 Update: moby-engine-24.0.5-1.fc38	30 Aug 202301:37	–	fedora
Fedora	[SECURITY] Fedora 37 Update: moby-engine-24.0.5-1.fc37	5 Sep 202300:47	–	fedora
Fedora	[SECURITY] Fedora 39 Update: moby-engine-24.0.5-1.fc39	15 Sep 202319:03	–	fedora
Tenable Nessus	Fedora 38 : moby-engine (2023-9f5f1ef40a)	30 Aug 202300:00	–	nessus

Source	Link
github	www.github.com/moby/buildkit/security/advisories/GHSA-gc89-7gcr-jxqc
github	www.github.com/moby/buildkit/commit/75123c696506bdbca1ed69906479e200f1b62604
osv	www.osv.dev/vulnerability/UBUNTU-CVE-2023-26054
ubuntu	www.ubuntu.com/security/CVE-2023-26054
cve	www.cve.org/CVERecord
lists	www.lists.fedoraproject.org/archives/list/[email protected]/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE
osv	www.osv.dev/vulnerability/MGASA-2023-0329
lists	www.lists.fedoraproject.org/archives/list/[email protected]/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC
advisories	www.advisories.mageia.org/MGASA-2023-0329.html
nvd	www.nvd.nist.gov/vuln/detail/CVE-2023-26054

29 Nov 2023 00:00Current

6.2Medium risk

Vulners AI Score6.2

CVSS 3.16.5

EPSS0.01033

SSVC