CVE-2024-24557: Classic builder cache poisoning
(updated )
The classic builder cache system is prone to cache poisoning if the image is built FROM scratch
.
Also, changes to some instructions (most important being HEALTHCHECK
and ONBUILD
) would not cause a cache miss.
An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps.
For example, an attacker could create an image that is considered as a valid cache candidate for:
FROM scratch
MAINTAINER Pawel
when in fact the malicious image used as a cache would be an image built from a different Dockerfile.
In the second case, the attacker could for example substitute a different HEALTCHECK
command.
References
- github.com/advisories/GHSA-xw73-rw38-6vjc
- github.com/moby/moby
- github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae
- github.com/moby/moby/commit/fca702de7f71362c8d103073c7e4a1d0a467fadd
- github.com/moby/moby/commit/fce6e0ca9bc000888de3daa157af14fa41fcd0ff
- github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc
- nvd.nist.gov/vuln/detail/CVE-2024-24557
Detect and mitigate CVE-2024-24557 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →