Moby is vulnerable to Cache Poisoning. The vulnerability is due to improper cache configuration when the image is built FROM scratch
. This issue can be exploited by an attacker to poison the cache and force a user to pull a specially crafted image. Note that 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0
environment variable) or are using the /build
API endpoint.