{"id":"CVE-2024-24557","summary":"Moby classic builder cache poisoning","details":"Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.","aliases":["GHSA-xw73-rw38-6vjc","GO-2024-2512"],"modified":"2026-04-02T10:03:45.973831Z","published":"2024-02-01T16:26:29.685Z","related":["CGA-84m3-g3p3-gw6w","openSUSE-SU-2024:14287-1"],"database_specific":{"cwe_ids":["CWE-345","CWE-346"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/24xxx/CVE-2024-24557.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/24xxx/CVE-2024-24557.json"},{"type":"ADVISORY","url":"https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24557"},{"type":"FIX","url":"https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/moby/moby","events":[{"introduced":"615dfdf67264ed5b08dd5e86657bf0e580731cea"},{"fixed":"fce6e0ca9bc000888de3daa157af14fa41fcd0ff"}],"database_specific":{"versions":[{"introduced":"25.0.0"},{"fixed":"25.0.2"}]}},{"type":"GIT","repo":"https://github.com/moby/moby","events":[{"introduced":"0"},{"fixed":"fca702de7f71362c8d103073c7e4a1d0a467fadd"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"24.0.9"}]}}],"versions":["0.0.3","api/v1.52.0","api/v1.52.0-alpha.0","api/v1.52.0-alpha.1","api/v1.52.0-beta.0","api/v1.52.0-beta.1","api/v1.52.0-beta.2","api/v1.52.0-beta.3","api/v1.52.0-beta.4","api/v1.52.0-rc.1","api/v1.53.0","api/v1.53.0-rc.1","api/v1.53.0-rc.2","api/v1.54.0","api/v1.54.0-rc.1","autorun/1","builder/1","builder/2","client/v0.1.0","client/v0.1.0-alpha.0","client/v0.1.0-beta.0","client/v0.1.0-beta.1","client/v0.1.0-beta.2","client/v0.1.0-beta.3","client/v0.1.0-rc.1","client/v0.2.0","client/v0.2.1","client/v0.2.2","client/v0.2.2-rc.1","client/v0.2.2-rc.2","client/v0.2.3-rc.1","client/v0.3.0","debian/0.1.1-1","docker-v29.0.0","docker-v29.0.0-rc.1","docker-v29.0.0-rc.2","docker-v29.0.0-rc.3","docker-v29.0.1","docker-v29.0.2","docker-v29.0.3","docker-v29.0.4","docker-v29.1.0","docker-v29.1.0-rc.1","docker-v29.1.1","docker-v29.1.2","docker-v29.1.3","docker-v29.1.4","docker-v29.1.5","docker-v29.2.0","docker-v29.2.0-rc.1","docker-v29.2.0-rc.2","docker-v29.2.1","docker-v29.3.0","docker-v29.3.0-rc.1","docker-v29.3.1","docs-v1.11.2-2016-06-10","docs-v1.12.0-2016-07-28","docs-v1.12.0-2016-07-29","docs-v1.12.0-2016-08-03","docs-v1.12.0-2016-08-03.1","docs-v1.12.0-2016-08-09","docs-v1.12.0-rc4-2016-07-15","docs-v1.12.1-2016-08-12","upstream/0.1.1","upstream/0.1.2","upstream/0.1.3","upstream/0.1.4","v0.1.0","v0.1.1","v0.1.2","v0.1.3","v0.1.4","v0.1.5","v0.1.6","v0.1.7","v0.1.8","v0.10.0","v0.11.0","v0.11.1","v0.12.0","v0.2.0","v0.2.1","v0.2.2","v0.3.0","v0.3.1","v0.3.2","v0.3.3","v0.3.4","v0.4.0","v0.4.1","v0.4.2","v0.4.3","v0.4.4","v0.4.5","v0.4.6","v0.4.7","v0.4.8","v0.5.0","v0.5.1","v0.5.2","v0.5.3","v0.6.0","v0.6.1","v0.6.2","v0.6.3","v0.6.4","v0.6.5","v0.6.6","v0.6.7","v0.7.0","v0.7.0-rc1","v0.7.0-rc2","v0.7.0-rc3","v0.7.0-rc4","v0.7.0-rc5","v0.7.0-rc6","v0.7.0-rc7","v0.7.1","v0.7.2","v0.7.3","v0.7.4","v0.7.5","v0.7.6","v0.8.0","v0.8.1","v0.9.0","v0.9.1","v1.0.0","v1.0.1","v1.1.0","v1.1.1","v1.1.2","v1.10.0","v1.10.0-rc1","v1.10.0-rc2","v1.10.0-rc3","v1.10.0-rc4","v1.10.1","v1.10.1-rc1","v1.10.2","v1.10.2-rc1","v1.10.3","v1.10.3-rc1","v1.10.3-rc2","v1.11.0","v1.11.0-rc1","v1.11.0-rc2","v1.11.0-rc3","v1.11.0-rc4","v1.11.0-rc5","v1.11.1","v1.11.1-rc1","v1.11.2","v1.11.2-rc1","v1.12.0","v1.12.0-rc1","v1.12.0-rc2","v1.12.0-rc3","v1.12.0-rc4","v1.12.0-rc5","v1.12.1","v1.12.1-rc1","v1.12.1-rc2","v1.12.2","v1.12.2-rc1","v1.12.2-rc2","v1.12.2-rc3","v1.12.3","v1.12.3-rc1","v1.12.4","v1.12.4-rc1","v1.12.5","v1.12.5-rc1","v1.12.6","v1.13.0","v1.13.0-rc1","v1.13.0-rc2","v1.13.0-rc3","v1.13.0-rc4","v1.13.0-rc5","v1.13.0-rc6","v1.13.0-rc7","v1.13.1","v1.13.1-rc1","v1.13.1-rc2","v1.2.0","v1.3.0","v1.3.1","v1.3.2","v1.3.3","v1.4.0","v1.4.1","v1.5.0","v1.5.0-rc1","v1.5.0-rc2","v1.5.0-rc3","v1.5.0-rc4","v1.6.0","v1.6.0-rc1","v1.6.0-rc2","v1.6.0-rc3","v1.6.0-rc4","v1.6.0-rc5","v1.6.0-rc6","v1.6.0-rc7","v1.6.1","v1.6.2","v1.7.0","v1.7.0-rc1","v1.7.0-rc2","v1.7.0-rc3","v1.7.0-rc4","v1.7.0-rc5","v1.7.1","v1.7.1-rc1","v1.7.1-rc2","v1.7.1-rc3","v1.8.0","v1.8.0-rc1","v1.8.0-rc2","v1.8.0-rc3","v1.8.1","v1.8.2","v1.8.2-rc1","v1.8.3","v1.9.0","v1.9.0-rc1","v1.9.0-rc2","v1.9.0-rc3","v1.9.0-rc4","v1.9.0-rc5","v1.9.1","v1.9.1-rc1","v17.03.0-ce","v17.03.0-ce-rc1","v17.03.1-ce","v17.03.1-ce-rc1","v17.03.2-ce","v17.03.2-ce-rc1","v17.04.0-ce","v17.04.0-ce-rc1","v17.04.0-ce-rc2","v17.05.0-ce","v17.05.0-ce-rc1","v17.05.0-ce-rc2","v17.05.0-ce-rc3","v17.06.0-ce","v17.06.0-ce-rc1","v17.06.0-ce-rc2","v17.06.0-ce-rc3","v17.06.0-ce-rc4","v17.06.0-ce-rc5","v17.06.1-ce","v17.06.1-ce-rc1","v17.06.1-ce-rc2","v17.06.1-ce-rc3","v17.06.1-ce-rc4","v17.06.2-ce","v17.06.2-ce-rc1","v17.07.0-ce","v17.07.0-ce-rc1","v17.07.0-ce-rc2","v17.07.0-ce-rc3","v17.07.0-ce-rc4","v17.09.0-ce","v17.09.0-ce-rc1","v17.09.0-ce-rc2","v17.09.0-ce-rc3","v17.09.1-ce","v17.09.1-ce-rc1","v17.10.0-ce","v17.10.0-ce-rc1","v17.10.0-ce-rc2","v17.11.0-ce","v17.11.0-ce-rc1","v17.11.0-ce-rc2","v17.11.0-ce-rc3","v17.11.0-ce-rc4","v17.12.0-ce","v17.12.0-ce-rc1","v17.12.0-ce-rc2","v17.12.0-ce-rc3","v17.12.0-ce-rc4","v17.12.1-ce","v17.12.1-ce-rc1","v17.12.1-ce-rc2","v18.01.0-ce","v18.01.0-ce-rc1","v18.02.0-ce","v18.02.0-ce-rc1","v18.02.0-ce-rc2","v18.03.0-ce","v18.03.0-ce-rc1","v18.03.0-ce-rc2","v18.03.0-ce-rc3","v18.03.0-ce-rc4","v18.03.1-ce","v18.03.1-ce-rc1","v18.03.1-ce-rc2","v18.04.0-ce","v18.04.0-ce-rc1","v18.04.0-ce-rc2","v18.05.0-ce","v18.05.0-ce-rc1","v18.06.0-ce","v18.06.0-ce-rc1","v18.06.0-ce-rc2","v18.06.0-ce-rc3","v18.06.1-ce","v18.06.1-ce-rc1","v18.06.1-ce-rc2","v18.06.2-ce","v18.06.3-ce","v18.09.0","v18.09.0-beta3","v18.09.0-beta5","v18.09.0-ce-beta1","v18.09.0-ce-tp0","v18.09.0-ce-tp3","v18.09.0-ce-tp4","v18.09.0-ce-tp5","v18.09.0-ce-tp6","v18.09.0-rc1","v18.09.1","v18.09.1-beta1","v18.09.1-beta2","v18.09.1-rc1","v18.09.2","v18.09.3","v18.09.3-rc1","v18.09.4","v18.09.4-rc1","v18.09.5","v18.09.5-rc1","v18.09.6","v18.09.6-rc1","v18.09.7","v18.09.7-rc1","v18.09.8","v18.09.9","v18.09.9-rc1","v19.03.0","v19.03.0-beta1","v19.03.0-beta2","v19.03.0-beta3","v19.03.0-beta4","v19.03.0-beta5","v19.03.0-rc2","v19.03.0-rc3","v19.03.1","v19.03.10","v19.03.11","v19.03.12","v19.03.13","v19.03.13-beta1","v19.03.13-beta2","v19.03.14","v19.03.15","v19.03.2","v19.03.2-beta1","v19.03.2-rc1","v19.03.3","v19.03.3-beta1","v19.03.3-beta2","v19.03.3-rc1","v19.03.4","v19.03.4-rc1","v19.03.5","v19.03.5-beta1","v19.03.5-beta2","v19.03.5-rc1","v19.03.6","v19.03.6-rc1","v19.03.6-rc2","v19.03.7","v19.03.8","v19.03.9","v2.0.0-beta.0","v2.0.0-beta.1","v2.0.0-beta.2","v2.0.0-beta.3","v2.0.0-beta.4","v2.0.0-beta.5","v2.0.0-beta.6","v2.0.0-beta.7","v2.0.0-beta.8","v20.10.0","v20.10.0-beta1","v20.10.0-rc1","v20.10.0-rc2","v20.10.1","v20.10.10","v20.10.10-rc1","v20.10.11","v20.10.12","v20.10.13","v20.10.14","v20.10.15","v20.10.16","v20.10.17","v20.10.18","v20.10.19","v20.10.2","v20.10.20","v20.10.21","v20.10.22","v20.10.23","v20.10.24","v20.10.25","v20.10.26","v20.10.27","v20.10.3","v20.10.4","v20.10.5","v20.10.6","v20.10.7","v20.10.8","v20.10.9","v22.06.0-beta.0","v23.0.0","v23.0.0-beta.1","v23.0.0-rc.1","v23.0.0-rc.2","v23.0.0-rc.3","v23.0.0-rc.4","v23.0.1","v23.0.10","v23.0.11","v23.0.12","v23.0.13","v23.0.14","v23.0.15","v23.0.16","v23.0.17","v23.0.18","v23.0.2","v23.0.3","v23.0.4","v23.0.5","v23.0.6","v23.0.7","v23.0.8","v23.0.9","v24.0.0","v24.0.0-beta.1","v24.0.0-beta.2","v24.0.0-rc.1","v24.0.0-rc.2","v24.0.0-rc.3","v24.0.0-rc.4","v24.0.1","v24.0.2","v24.0.3","v24.0.4","v24.0.5","v24.0.6","v24.0.7","v24.0.8","v25.0.0","v25.0.0-beta.1","v25.0.0-beta.2","v25.0.0-beta.3","v25.0.0-rc.1","v25.0.0-rc.2","v25.0.0-rc.3","v25.0.1","v25.0.10","v25.0.11","v25.0.12","v25.0.13","v25.0.14","v25.0.2","v25.0.3","v25.0.4","v25.0.5","v25.0.6","v25.0.7","v25.0.8","v25.0.9","v26.0.0","v26.0.0-rc1","v26.0.0-rc2","v26.0.0-rc3","v26.0.1","v26.0.2","v26.1.0","v26.1.1","v26.1.2","v26.1.3","v26.1.4","v26.1.5","v27.0.0-rc.1","v27.0.0-rc.2","v27.0.1","v27.0.1-rc.1","v27.0.2","v27.0.3","v27.1.0","v27.1.1","v27.1.2","v27.2.0","v27.2.0-rc.1","v27.2.1","v27.3.0","v27.3.0-rc.1","v27.3.0-rc.2","v27.3.1","v27.4.0","v27.4.0-rc.1","v27.4.0-rc.2","v27.4.0-rc.3","v27.4.0-rc.4","v27.4.1","v27.5.0","v27.5.0-rc.1","v27.5.0-rc.2","v27.5.1","v28.0.0","v28.0.0-rc.1","v28.0.0-rc.2","v28.0.0-rc.3","v28.0.1","v28.0.2","v28.0.3","v28.0.4","v28.1.0","v28.1.0-rc.1","v28.1.0-rc.2","v28.1.1","v28.2.0","v28.2.0-rc.1","v28.2.0-rc.2","v28.2.1","v28.2.2","v28.3.0","v28.3.0-rc.1","v28.3.0-rc.2","v28.3.1","v28.3.2","v28.3.3","v28.4.0","v28.4.0-rc.1","v28.4.0-rc.2","v28.5.0","v28.5.0-rc.1","v28.5.1","v28.5.2","xdocs-v1.10-09-05-2016","xdocs-v1.10-28-mar-2016"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-24557.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L"}]}