The classic builder cache system is prone to cache poisoning if the image is built FROM scratch
. Also, changes to some instructions (most important being HEALTHCHECK
and ONBUILD
) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. For example, an attacker could create an image that is considered as a valid cache candidate for: FROM scratch MAINTAINER Pawel
when in fact the malicious image used as a cache would be an image built from a different Dockerfile. In the second case, the attacker could for example substitute a different HEALTCHECK
command. ### Impact 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0
environment variable) or are using the /build
API endpoint (which uses the classic builder by default). All users on versions older than 23.0 could be impacted. An example could be a CI with a shared cache, or just a regular Docker user pulling a malicious image due to misspelling/typosquatting. Image build API endpoint (/build
) and ImageBuild
function from github.com/docker/docker/client
is also affected as it the uses classic builder by default. ### Patches Patches are included in Moby releases: - v25.0.2 - v24.0.9 ### Workarounds - Use --no-cache
or use Buildkit if possible (DOCKER_BUILDKIT=1
, it's default on 23.0+ assuming that the buildx plugin is installed). - Use Version = types.BuilderBuildKit
or NoCache = true
in ImageBuildOptions
for ImageBuild
call.
-
-
1.8
-
1.0
CVE-2024-24557
-
CVE-2024-24557
-