x/vulndb: potential Go vuln in github.com/moby/buildkit: CVE-2024-23650

[GoVulnBot]

CVE-2024-23650 references github.com/moby/buildkit, which may be a Go module.

Description:
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-23650
• JSON: https://github.com/CVEProject/cvelist/tree/c99b32470221bca5b06270b4847ef695fbb558e6/2024/23xxx/CVE-2024-23650.json
• advisory: GHSA-9p26-698r-w4hx
• fix: Add more validations for nil values moby/buildkit#4601
• web: https://github.com/moby/buildkit/releases/tag/v0.12.5
• Imported by: https://pkg.go.dev/github.com/moby/buildkit?tab=importedby

Cross references:

• Module github.com/moby/buildkit appears in issue x/vulndb: potential Go vuln in github.com/moby/buildkit: CVE-2023-26054 #1609 EFFECTIVELY_PRIVATE
• Module github.com/moby/buildkit appears in issue x/vulndb: potential Go vuln in github.com/moby/buildkit: CVE-2020-27534 #2296 LEGACY_FALSE_POSITIVE

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/moby/buildkit
      vulnerable_at: 0.12.5
      packages:
        - package: buildkit
cves:
    - CVE-2024-23650
references:
    - advisory: https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx
    - fix: https://github.com/moby/buildkit/pull/4601
    - web: https://github.com/moby/buildkit/releases/tag/v0.12.5

[gopherbot]

Change https://go.dev/cl/562376 mentions this issue: data/reports: add GO-2024-2492.yaml