CVE-2023-26054

Name of the Vulnerable Software and Affected Versions BuildKit versions v0.11.0 through v0.11.3

Description The issue arises when a build request contains a Git URL with credentials and creates a provenance attestation describing the build. These credentials could be visible from the provenance attestation. The Git URL can be passed in two ways: invoking build directly from a URL with credentials or sending additional version control system (VCS) info hint parameters on builds from a local source. When a build is performed under specific conditions where credentials were passed to BuildKit, they may be visible to everyone who has access to the provenance attestation. Provenance attestations and VCS info hints were added in version v0.11.0.

Recommendations For versions v0.11.0 through v0.11.3, upgrade to version v0.11.4 to fix the issue. For users unable to upgrade, disable VCS info hints by setting BUILDX GIT INFO=0 as a temporary workaround. In Docker Buildx, VCS info hint can be disabled by setting BUILDX GIT INFO=0. buildctl does not set VCS hints based on .git directory, and values would need to be passed manually with --opt. It is recommended to pass credentials with build secrets when building directly from Git URL as a more secure alternative than modifying the URL.