DEBIAN-CVE-2024-24557

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2024-24557

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2024-24557.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2024-24557

Upstream

CVE-2024-24557

Published

2024-02-01T17:15:10Z

Modified

2025-09-25T23:29:58.194631Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.

References

https://security-tracker.debian.org/tracker/CVE-2024-24557

Affected packages

Debian:11 / docker.io

Package

Name: docker.io
Purl: pkg:deb/debian/docker.io?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.10.5+dfsg1-1

20.10.5+dfsg1-1+deb11u1

20.10.5+dfsg1-1+deb11u2

20.10.5+dfsg1-1+deb11u3

20.10.5+dfsg1-1+deb11u4

20.10.8+dfsg1-1

20.10.8+dfsg1-2

20.10.10+dfsg1-1

20.10.11+dfsg1-1

20.10.11+dfsg1-2

20.10.14+dfsg1-1

20.10.17+dfsg1-1

20.10.19+dfsg1-1

20.10.21+dfsg1-1

20.10.22+dfsg1-1

20.10.22+dfsg1-2

20.10.23+dfsg1-1

20.10.24+dfsg1-1

20.10.25+dfsg1-1

20.10.25+dfsg1-2

20.10.25+dfsg1-3

20.10.25+dfsg1-4

26.*

26.1.4+dfsg1-1

26.1.4+dfsg1-2

26.1.4+dfsg1-3

26.1.4+dfsg1-4

26.1.4+dfsg1-5

26.1.4+dfsg1-6

26.1.4+dfsg1-7

26.1.4+dfsg1-8

26.1.4+dfsg1-9

26.1.4+dfsg2-1

26.1.4+dfsg3-1

26.1.5+dfsg1-1

26.1.5+dfsg1-2

26.1.5+dfsg1-3

26.1.5+dfsg1-4

26.1.5+dfsg1-5

26.1.5+dfsg1-6

26.1.5+dfsg1-7

26.1.5+dfsg1-8

26.1.5+dfsg1-9

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / docker.io

Package

Name: docker.io
Purl: pkg:deb/debian/docker.io?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.10.24+dfsg1-1

20.10.24+dfsg1-1+deb12u1

20.10.25+dfsg1-1

20.10.25+dfsg1-2

20.10.25+dfsg1-3

20.10.25+dfsg1-4

26.*

26.1.4+dfsg1-1

26.1.4+dfsg1-2

26.1.4+dfsg1-3

26.1.4+dfsg1-4

26.1.4+dfsg1-5

26.1.4+dfsg1-6

26.1.4+dfsg1-7

26.1.4+dfsg1-8

26.1.4+dfsg1-9

26.1.4+dfsg2-1

26.1.4+dfsg3-1

26.1.5+dfsg1-1

26.1.5+dfsg1-2

26.1.5+dfsg1-3

26.1.5+dfsg1-4

26.1.5+dfsg1-5

26.1.5+dfsg1-6

26.1.5+dfsg1-7

26.1.5+dfsg1-8

26.1.5+dfsg1-9

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / docker.io

Package

Name: docker.io
Purl: pkg:deb/debian/docker.io?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

26.1.4+dfsg1-9

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / docker.io

Package

Name: docker.io
Purl: pkg:deb/debian/docker.io?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

26.1.4+dfsg1-9

Ecosystem specific

{
    "urgency": "not yet assigned"
}