CVE-2024-24557: 
cAdvisor vulnerability analysis and mitigation

The classic builder cache system in Moby (Docker) is affected by a cache poisoning vulnerability (CVE-2024-24557) discovered in early 2024. The vulnerability affects versions >= v23 and < v23.0.10, >= v24 and < v24.0.9, and >= v25 and < v25.0.2. The issue specifically impacts the classic builder when building images using 'FROM scratch' instructions (GitHub Advisory).

The vulnerability allows cache poisoning in scenarios where images are built FROM scratch. Additionally, certain instructions like HEALTHCHECK and ONBUILD would not trigger a cache miss when they should. The issue affects Docker versions 23.0+ when users explicitly opt out of Buildkit (using DOCKER_BUILDKIT=0) or when using the /build API endpoint. All versions prior to 23.0 are potentially impacted. The vulnerability has been assigned a CVSS v3.1 base score of 6.9 (Moderate), with attack vector being Local, attack complexity High, requiring no privileges but user interaction (GitHub Advisory).

An attacker with knowledge of a target's Dockerfile could poison their cache by creating a specially crafted image that would be considered a valid cache candidate. For example, they could create an image that appears as a valid cache candidate for a simple 'FROM scratch' instruction while actually containing malicious content. This is particularly concerning in shared cache environments like CI systems or when users accidentally pull malicious images due to typosquatting (GitHub Advisory).

Several mitigation options are available: 1) Use --no-cache flag when building images, 2) Enable Buildkit (DOCKER_BUILDKIT=1) which is the default in version 23.0+ with buildx plugin installed, 3) Use Version = types.BuilderBuildKit or NoCache = true in ImageBuildOptions for ImageBuild calls. The vulnerability has been patched in Moby releases v25.0.2, v24.0.9, and v23.0.10 (GitHub Advisory).