BuildKit vulnerable to possible panic when incorrect parameters sent from frontend

Impact

A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic.

Patches

The issue has been fixed in v0.12.5

Workarounds

Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the #syntax line on your Dockerfile, or with --frontend flag when using buildctl build command.

References

tonistiigi published to moby/buildkit Jan 31, 2024

Published by the National Vulnerability Database Jan 31, 2024

Published to the GitHub Advisory Database Jan 31, 2024

Reviewed Jan 31, 2024

Last updated Mar 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code

Credits