CVE-2024-24557
ADVISORY - githubSummary
The classic builder cache system is prone to cache poisoning if the image is built FROM scratch
.
Also, changes to some instructions (most important being HEALTHCHECK
and ONBUILD
) would not cause a cache miss.
An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps.
For example, an attacker could create an image that is considered as a valid cache candidate for:
FROM scratch
MAINTAINER Pawel
when in fact the malicious image used as a cache would be an image built from a different Dockerfile.
In the second case, the attacker could for example substitute a different HEALTCHECK
command.
Impact
23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0
environment variable) or are using the /build
API endpoint (which uses the classic builder by default).
All users on versions older than 23.0 could be impacted. An example could be a CI with a shared cache, or just a regular Docker user pulling a malicious image due to misspelling/typosquatting.
Image build API endpoint (/build
) and ImageBuild
function from github.com/docker/docker/client
is also affected as it the uses classic builder by default.
Patches
Patches are included in Moby releases:
- v25.0.2
- v24.0.9
- v23.0.10
Workarounds
- Use
--no-cache
or use Buildkit if possible (DOCKER_BUILDKIT=1
, it's default on 23.0+ assuming that the buildx plugin is installed). - Use
Version = types.BuilderBuildKit
orNoCache = true
inImageBuildOptions
forImageBuild
call.
Common Weakness Enumeration (CWE)
NIST
GitHub
Alpine
-
Debian
-
Ubuntu
1.8
GoLang
-
Amazon
-
Red Hat
1.0
Chainguard
CGA-22jm-fmjr-77q6
-
Chainguard
CGA-2gpw-4jjj-6w6p
-
Chainguard
CGA-2rjm-c92x-965x
-
Chainguard
CGA-39vr-gjxj-cf9r
-
Chainguard
CGA-3grc-9228-r3mw
-
Chainguard
CGA-3cxw-qp9h-mmm7
-
Chainguard
CGA-3wfj-hp57-539m
-
Chainguard
CGA-4657-h355-3vj6
-
Chainguard
CGA-4qhj-752c-2p63
-
Chainguard
CGA-587g-vmpg-rmrv
-
Chainguard
CGA-4rgf-6wrr-m9ff
-
Chainguard
CGA-547j-36vf-v55c
-
Chainguard
CGA-639h-hx95-q3pg
-
Chainguard
CGA-5xfh-w4w2-9jpm
-
Chainguard
CGA-5whw-3j2g-4fgp
-
Chainguard
CGA-6p3g-fg7v-8x49
-
Chainguard
CGA-5v6x-f97r-5g9q
-
Chainguard
CGA-72m3-cfrc-g5p8
-
Chainguard
CGA-7wvr-qr3c-mh6g
-
Chainguard
CGA-7qhg-6vh2-qgcp
-
Chainguard
CGA-8gcw-q8w9-923j
-
Chainguard
CGA-82q6-3pfv-vvv6
-
Chainguard
CGA-8pgr-mg38-4cr2
-
Chainguard
CGA-936c-qp49-vcvp
-
Chainguard
CGA-9wm5-r7g7-rphp
-
Chainguard
CGA-9884-6h23-f335
-
Chainguard
CGA-96hf-fxjj-2w36
-
Chainguard
CGA-99c8-8w3w-f5r5
-
Chainguard
CGA-9rjg-7rhp-x2pc
-
Chainguard
CGA-9r76-cq2m-3vf8
-
Chainguard
CGA-c678-cw6j-h2mr
-
Chainguard
CGA-c72v-xcxw-78fc
-
Chainguard
CGA-cfv4-5gh4-x5wg
-
Chainguard
CGA-c4gv-xhxc-2m6m
-
Chainguard
CGA-cjhh-48pj-2vwj
-
Chainguard
CGA-cg8v-mvqg-95m4
-
Chainguard
CGA-fg5g-x9xf-4ccm
-
Chainguard
CGA-fgqw-2xwm-5c2h
-
Chainguard
CGA-cqpp-2rh4-xpjv
-
Chainguard
CGA-fj34-6jmf-8434
-
Chainguard
CGA-cr64-48m9-44jg
-
Chainguard
CGA-f72x-vprx-fgmf
-
Chainguard
CGA-fhm4-w97j-wj27
-
Chainguard
CGA-fgwh-7fxh-gf6c
-
Chainguard
CGA-g3m7-cfh3-3p28
-
Chainguard
CGA-f8hr-3gwx-55r3
-
Chainguard
CGA-g7q7-cw2x-f4g8
-
Chainguard
CGA-g7rm-r42p-j6xq
-
Chainguard
CGA-g3c2-2gm7-54j8
-
Chainguard
CGA-g8gj-wghv-24mp
-
Chainguard
CGA-h6gm-p5rx-h732
-
Chainguard
CGA-gwh5-7c96-858h
-
Chainguard
CGA-gvv3-xh43-3xw5
-
Chainguard
CGA-gw28-37q7-492p
-
Chainguard
CGA-h5cw-55qf-77vr
-
Chainguard
CGA-hcm4-mcr8-93j4
-
Chainguard
CGA-hr5f-f28h-62pf
-
Chainguard
CGA-h55m-gqgg-6877
-
Chainguard
CGA-j8fh-7jjm-55pj
-
Chainguard
CGA-hr6p-h36h-g26r
-
Chainguard
CGA-hx4x-59v6-957v
-
Chainguard
CGA-jjh9-88gj-mx26
-
Chainguard
CGA-jp2c-cv6p-q8wv
-
Chainguard
CGA-m29x-hcj7-j3jp
-
Chainguard
CGA-m42q-q6hw-jcw9
-
Chainguard
CGA-m9r4-f49r-2x69
-
Chainguard
CGA-ph4v-7jrg-mgqw
-
Chainguard
CGA-pgj7-gxpp-3mj7
-
Chainguard
CGA-q457-jq3v-2r43
-
Chainguard
CGA-pjxv-3w8w-5q47
-
Chainguard
CGA-pvj9-jfx8-wmx9
-
Chainguard
CGA-q2g3-vv8c-w7f2
-
Chainguard
CGA-qc5g-rhqg-5383
-
Chainguard
CGA-q3rg-3jgg-2q6c
-
Chainguard
CGA-q6q6-cjp4-5jq2
-
Chainguard
CGA-qhj2-8w7q-f79x
-
Chainguard
CGA-rrqr-gxgx-h54p
-
Chainguard
CGA-v5jh-4hqv-rqg9
-
Chainguard
CGA-rqjx-wxf9-cjj5
-
Chainguard
CGA-rmgp-6hvw-7m5j
-
Chainguard
CGA-vpjm-qx66-36cg
-
Chainguard
CGA-rmx8-rwwc-46fm
-
Chainguard
CGA-vv2g-2c4f-xcm2
-
Chainguard
CGA-v568-pjh9-f5q4
-
Chainguard
CGA-vj4x-8g68-v9v5
-
Chainguard
CGA-wfhj-pcf9-hp7g
-
Chainguard
CGA-wfj7-m938-wp8c
-
Chainguard
CGA-w4f3-6rv8-h9vx
-
Chainguard
CGA-wj3q-hpp5-r94x
-
Chainguard
CGA-w2g3-6xjq-g57p
-
Chainguard
CGA-wwpx-gpc4-369g
-
Chainguard
CGA-x26c-vf88-vfgp
-
Chainguard
CGA-x6j2-ph2r-h2f2
-
Chainguard
CGA-xq2v-g5jm-46j3
-
Chainguard
CGA-ppx7-757f-46h3
-
Chainguard
CGA-m3q7-c27q-xrpv
-
Chainguard
CGA-m7h8-5rq6-qvv5
-
Chainguard
CGA-5cjr-3x27-9245
-
Chainguard
CGA-hqm9-7vvq-qf8v
-
Photon
CVE-2024-24557
-