5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-23650

GHSA ID

GHSA-9p26-698r-w4hx

EPSS Score

0.24673%

CWE

CWE-754

Published

1/31/2024

Updated

3/4/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-23650

CVE-2024-23650: BuildKit vulnerable to possible panic when incorrect parameters sent from frontend

Impact

A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic.

Patches

The issue has been fixed in v0.12.5

Workarounds

Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the #syntax line on your Dockerfile, or with --frontend flag when using buildctl build command.

References

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-23650

GHSA ID

GHSA-9p26-698r-w4hx

EPSS Score

0.24673%

CWE

CWE-754

Published

1/31/2024

Updated

3/4/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/moby/buildkit	go	< 0.12.5	0.12.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing validation checks for mandatory platform fields in image configurations. The patch added explicit checks for 'img.OS' and 'img.Architecture' in patchImageConfig() to prevent null/missing values from causing panics. The CWE-754 (Improper Check for Unusual Conditions) and commit diff showing added validations confirm this was the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * m*li*ious *uil*Kit *li*nt or *ront*n* *oul* *r**t * r*qu*st t**t *oul* l*** to *uil*Kit ***mon *r*s*in* wit* * p*ni*. ### P*t***s T** issu* **s ***n *ix** in v*.**.* ### Work*roun*s *voi* usin* *uil*Kit *ront*n*s *rom untrust** sour**s

Reasoning

T** vuln*r**ility st*ms *rom missin* `v*li**tion` ****ks *or m*n**tory pl*t*orm *i*l*s in im*** *on*i*ur*tions. T** p*t** ***** *xpli*it ****ks *or 'im*.OS' *n* 'im*.*r**it**tur*' in `p*t**Im****on*i*()` to pr*v*nt null/missin* v*lu*s *rom **usin* p*

5.3

Basic Information

Concerned about an active attack path?

CVE-2024-23650: BuildKit vulnerable to possible panic when incorrect parameters sent from frontend

Impact

Patches

Workarounds

References

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI