medium
6.5
CWE
200
Advisory Published
Advisory Published
Updated

CVE-2023-26054: Infoleak

First published: Mon Mar 06 2023(Updated: )

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In affected versions when the user sends a build request that contains a Git URL that contains credentials and the build creates a provenance attestation describing that build, these credentials could be visible from the provenance attestation. Git URL can be passed in two ways: 1) Invoking build directly from a URL with credentials. 2) If the client sends additional version control system (VCS) info hint parameters on builds from a local source. Usually, that would mean reading the origin URL from `.git/config` file. When a build is performed under specific conditions where credentials were passed to BuildKit they may be visible to everyone who has access to provenance attestation. Provenance attestations and VCS info hints were added in version v0.11.0. Previous versions are not vulnerable. In v0.10, when building directly from Git URL, the same URL could be visible in `BuildInfo` structure that is a predecessor of Provenance attestations. Previous versions are not vulnerable. This bug has been fixed in v0.11.4. Users are advised to upgrade. Users unable to upgrade may disable VCS info hints by setting `BUILDX_GIT_INFO=0`. `buildctl` does not set VCS hints based on `.git` directory, and values would need to be passed manually with `--opt`.

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Mobyproject Buildkit>=0.10.0<0.11.4
go/github.com/moby/buildkit>=0.10.0<0.11.4
0.11.4
redhat/buildkit<0.11.4
0.11.4

Remedy

https://github.com/moby/buildkit/commit/75123c696506bdbca1ed69906479e200f1b62604

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2023-26054?

    CVE-2023-26054 is a vulnerability that allows credentials passed in Git URLs to be visible in the provenance attestation.

  • How does CVE-2023-26054 affect BuildKit?

    CVE-2023-26054 affects BuildKit by allowing credentials to be exposed in the provenance attestation when a build request contains a Git URL with credentials.

  • What is the severity of CVE-2023-26054?

    CVE-2023-26054 has a severity rating of 6.5 (medium).

  • How do I fix CVE-2023-26054 on BuildKit?

    To fix CVE-2023-26054 on BuildKit, update to version 0.11.4 or higher.

  • Where can I find more information about CVE-2023-26054?

    You can find more information about CVE-2023-26054 at the following references: [GitHub Security Advisory](https://github.com/moby/buildkit/security/advisories/GHSA-gc89-7gcr-jxqc), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-26054), [GitHub Commit](https://github.com/moby/buildkit/commit/75123c696506bdbca1ed69906479e200f1b62604).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203