CVE-2024-24557

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-24557
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-24557.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-24557
Aliases
Downstream
Related
Published
2024-02-01T16:26:29Z
Modified
2025-10-30T20:25:10.292560Z
Severity
  • 6.9 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L CVSS Calculator
Summary
Moby classic builder cache poisoning
Details

Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.

Database specific 
{
    "cwe_ids": [
        "CWE-345",
        "CWE-346"
    ]
}
References

Affected packages

Git / github.com/moby/moby

Affected ranges

Type
GIT
Repo
https://github.com/moby/moby
Events
Introduced
615dfdf67264ed5b08dd5e86657bf0e580731cea
Fixed
fce6e0ca9bc000888de3daa157af14fa41fcd0ff
Database specific 
{
    "versions": [
        {
            "introduced": "25.0.0"
        },
        {
            "fixed": "25.0.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/moby/moby
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
fca702de7f71362c8d103073c7e4a1d0a467fadd
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "24.0.9"
        }
    ]
}

Affected versions

0.*

0.0.3

Other

autorun/1

docs-v1.*

docs-v1.12.0-rc4-2016-07-15

upstream/0.*

upstream/0.1.1
upstream/0.1.2
upstream/0.1.3
upstream/0.1.4

v0.*

v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.10.0
v0.11.0
v0.11.1
v0.12.0
v0.2.0
v0.2.1
v0.2.2
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.6.7
v0.7.0
v0.7.0-rc5
v0.7.0-rc6
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.8.0
v0.8.1
v0.9.0

v1.*

v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.1.2
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.4.0
v1.4.1

v17.*

v17.12.0-ce-rc1

v18.*

v18.04.0-ce-rc1
v18.06.0-ce-rc1
v18.09.0-ce-tp0

v19.*

v19.03.0-beta1
v19.03.0-beta2
v19.03.0-beta3

v20.*

v20.10.0
v20.10.0-beta1
v20.10.0-rc1
v20.10.0-rc2
v20.10.1
v20.10.2

v22.*

v22.06.0-beta.0

v24.*

v24.0.0
v24.0.0-beta.1
v24.0.0-beta.2
v24.0.0-rc.1
v24.0.0-rc.2
v24.0.0-rc.3
v24.0.0-rc.4
v24.0.1
v24.0.2
v24.0.3
v24.0.4
v24.0.5
v24.0.6
v24.0.7
v24.0.8

v25.*

v25.0.0
v25.0.1