Upstream information
CVE-2024-23650 at MITRE
Description
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.
Overall state of this security issue: Pending
This issue is currently rated as having moderate severity.
CVSS v3 Scores
| National Vulnerability Database | SUSE |
Base Score | 5.3 | 6.2 |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Attack Vector | Network | Local |
Attack Complexity | Low | Low |
Privileges Required | None | None |
User Interaction | None | None |
Scope | Unchanged | Unchanged |
Confidentiality Impact | None | None |
Integrity Impact | None | None |
Availability Impact | Low | High |
CVSSv3 Version | 3.1 | 3.1 |
SUSE Bugzilla entry:
1219437 [NEW]
No SUSE Security Announcements cross referenced.
List of released packages
Product(s) | Fixed package version(s) | References |
SUSE Liberty Linux 8 | aardvark-dns >= 1.10.0-1.module+el8.10.0+21209+52deeb51
buildah >= 1.33.6-2.module+el8.10.0+21371+46937ece
buildah-tests >= 1.33.6-2.module+el8.10.0+21371+46937ece
cockpit-podman >= 84.1-1.module+el8.10.0+21373+0d273fdf
conmon >= 2.1.10-1.module+el8.10.0+21077+98b84d8a
container-selinux >= 2.229.0-2.module+el8.10.0+21196+3f0abbca
containernetworking-plugins >= 1.4.0-2.module+el8.10.0+21366+f9cb49f8
containers-common >= 1-81.module+el8.10.0+21340+c6c7475a
crit >= 3.18-4.module+el8.9.0+20326+387084d0
criu >= 3.18-4.module+el8.9.0+20326+387084d0
criu-devel >= 3.18-4.module+el8.9.0+20326+387084d0
criu-libs >= 3.18-4.module+el8.9.0+20326+387084d0
crun >= 1.14.3-2.module+el8.10.0+21340+c6c7475a
fuse-overlayfs >= 1.13-1.module+el8.10.0+20412+95ee28e2
libslirp >= 4.4.0-1.module+el8.9.0+20326+387084d0
libslirp-devel >= 4.4.0-1.module+el8.9.0+20326+387084d0
netavark >= 1.10.3-1.module+el8.10.0+21306+6be40ce7
oci-seccomp-bpf-hook >= 1.2.10-1.module+el8.10.0+20565+a40ba0e5
podman >= 4.9.4-0.1.module+el8.10.0+21350+ea09fba1
podman-catatonit >= 4.9.4-0.1.module+el8.10.0+21350+ea09fba1
podman-docker >= 4.9.4-0.1.module+el8.10.0+21350+ea09fba1
podman-gvproxy >= 4.9.4-0.1.module+el8.10.0+21350+ea09fba1
podman-plugins >= 4.9.4-0.1.module+el8.10.0+21350+ea09fba1
podman-remote >= 4.9.4-0.1.module+el8.10.0+21350+ea09fba1
podman-tests >= 4.9.4-0.1.module+el8.10.0+21350+ea09fba1
python3-criu >= 3.18-4.module+el8.9.0+20326+387084d0
python3-podman >= 4.9.0-1.module+el8.10.0+21196+3f0abbca
runc >= 1.1.12-1.module+el8.10.0+21251+62b7388c
skopeo >= 1.14.3-0.1.module+el8.10.0+21251+62b7388c
skopeo-tests >= 1.14.3-0.1.module+el8.10.0+21251+62b7388c
slirp4netns >= 1.2.3-1.module+el8.10.0+21306+6be40ce7
toolbox >= 0.0.99.5-2.module+el8.10.0+21341+ff0b5f89
toolbox-tests >= 0.0.99.5-2.module+el8.10.0+21341+ff0b5f89
udica >= 0.2.6-20.module+el8.9.0+20326+387084d0
| Patchnames: RHSA-2024:2988 |
openSUSE Tumbleweed | docker-stable >= 24.0.9_ce-6.1
docker-stable-bash-completion >= 24.0.9_ce-6.1
docker-stable-buildx >= 0.19.3-6.1
docker-stable-fish-completion >= 24.0.9_ce-6.1
docker-stable-rootless-extras >= 24.0.9_ce-6.1
docker-stable-zsh-completion >= 24.0.9_ce-6.1
singularity-ce >= 4.1.3-1.1
| Patchnames: openSUSE-Tumbleweed-2024-14059 openSUSE-Tumbleweed-2024-14598 |
Status of this issue by product and package
Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification. The updates are grouped by state of their lifecycle. SUSE product lifecycles are documented on the lifecycle page.
Product(s) | Source package | State |
Products under general support and receiving all security fixes. |
SUSE Linux Micro 6.0 | buildkit | Affected |
SUSE Linux Micro 6.1 | buildkit | Affected |
SUSE Timeline for this CVE
CVE page created: Thu Feb 1 01:00:38 2024
CVE page last modified: Thu Dec 19 00:53:47 2024