CVE-2024-24557

Name of the Vulnerable Software and Affected Versions Moby versions prior to 23.0 Moby versions 23.0 and later with DOCKER BUILDKIT=0 environment variable Moby versions 23.0 and later using the /build API endpoint

Description The classic builder cache system in Moby is prone to cache poisoning if the image is built FROM scratch. Changes to some instructions, such as HEALTHCHECK and ONBUILD, would not cause a cache miss. An attacker with knowledge of the Dockerfile could poison the cache by making them pull a specially crafted image that would be considered a valid cache candidate for some build steps. The Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client are also affected as they use the classic builder by default.

Recommendations For versions prior to 23.0, update to a version that includes the patch, such as 24.0.9 or 25.0.2. For versions 23.0 and later with DOCKER BUILDKIT=0 environment variable, set DOCKER BUILDKIT=1 to use Buildkit or update to a version that includes the patch. For versions 23.0 and later using the /build API endpoint, consider using the --no-cache option or updating to a version that includes the patch. As a temporary workaround, consider using --no-cache or setting NoCache = true in ImageBuildOptions for ImageBuild call. Use Version = types.BuilderBuildKit in ImageBuildOptions for ImageBuild call to use Buildkit.