CVE-2024-23650

Public on 2024-01-31

Modified on 2024-02-02

Description

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.

Severity

Medium

See what this means

CVSS v3 Base Score

5.3

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory	Status
Amazon Linux 1	docker			No Fix Planned
Amazon Linux 2 - Docker Extra	docker	2024-08-29	ALAS2DOCKER-2024-044	Fixed
Amazon Linux 2 - Ecs Extra	docker	2024-08-29	ALAS2ECS-2024-041	Fixed
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra	docker	2024-08-29	ALAS2NITRO-ENCLAVES-2024-045	Fixed
Amazon Linux 2023	docker	2024-03-05	ALAS2023-2024-542	Fixed

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
NVD	CVSSv3	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2024-23650 Mitre: CVE-2024-23650