blob: acbfb9e5053df60647b3f3d7e60ec6a4549da2f5 [file] [log] [blame]
id: GO-2024-2492
modules:
- module: github.com/moby/buildkit
versions:
- fixed: 0.12.5
vulnerable_at: 0.12.4
packages:
- package: github.com/moby/buildkit/solver/llbsolver
symbols:
- Solver.Solve
- llbBridge.loadResult
- loadSourcePolicy
- package: github.com/moby/buildkit/sourcepolicy
symbols:
- match
- package: github.com/moby/buildkit/control
symbols:
- Controller.Solve
- package: github.com/moby/buildkit/frontend/gateway/client
symbols:
- AttestationFromPB
- package: github.com/moby/buildkit/frontend/gateway
symbols:
- llbBridgeForwarder.Warn
- llbBridgeForwarder.Solve
- package: github.com/moby/buildkit/util/tracing/transform
symbols:
- spanEvents
- doubleArray
- arrayValues
- stringArray
- Attributes
- intArray
- links
- statusCode
- Spans
- boolArray
- package: github.com/moby/buildkit/exporter/containerimage/exptypes
symbols:
- ParsePlatforms
- package: github.com/moby/buildkit/exporter/containerimage
symbols:
- patchImageConfig
fix_links:
- https://github.com/moby/buildkit/commit/7718bd5c3dc8fc5cd246a30cc41766e7a53c043c
summary: Panic in github.com/moby/buildkit
description: |-
A malicious BuildKit client or frontend could craft a request that could lead to
a BuildKit daemon crashing with a panic.
cves:
- CVE-2024-23650
ghsas:
- GHSA-9p26-698r-w4hx
credits:
- '@cpuguy83'
references:
- fix: https://github.com/moby/buildkit/pull/4601
- fix: https://github.com/moby/buildkit/commit/e1924dc32da35bfb0bfdbb9d0fc7bca25e552330
- fix: https://github.com/moby/buildkit/commit/7718bd5c3dc8fc5cd246a30cc41766e7a53c043c
- fix: https://github.com/moby/buildkit/commit/96663dd35bf3787d7efb1ee7fd9ac7fe533582ae
- fix: https://github.com/moby/buildkit/commit/481d9c45f473c58537f39694a38d7995cc656987
- fix: https://github.com/moby/buildkit/commit/83edaef59d545b93e2750f1f85675a3764593fee
- web: https://github.com/moby/buildkit/releases/tag/v0.12.5
review_status: REVIEWED