Rumpl

**Name of the Vulnerable Software and Affected Versions** Moby versions prior to 23.0 Moby versions 23.0 and later with DOCKER BUILDKIT=0 environment variable Moby versions 23.0 and later using the /build API endpoint **Description** The classic builder cache system in Moby is prone to cache poisoning if the image is built FROM scratch. Changes to some instructions, such as `HEALTHCHECK` and `ONBUILD`, would not cause a cache miss. An attacker with knowledge of the Dockerfile could poison the cache by making them pull a specially crafted image that would be considered a valid cache candidate for some build steps. The Image build API endpoint (`/build`) and `ImageBuild` function from `github.com/docker/docker/client` are also affected as they use the classic builder by default. **Recommendations** For versions prior to 23.0, update to a version that includes the patch, such as 24.0.9 or 25.0.2. For versions 23.0 and later with DOCKER BUILDKIT=0 environment variable, set DOCKER BUILDKIT=1 to use Buildkit or update to a version that includes the patch. For versions 23.0 and later using the /build API endpoint, consider using the `--no-cache` option or updating to a version that includes the patch. As a temporary workaround, consider using `--no-cache` or setting `NoCache = true` in `ImageBuildOptions` for `ImageBuild` call. Use `Version = types.BuilderBuildKit` in `ImageBuildOptions` for `ImageBuild` call to use Buildkit.