CVE-2025-0495

CVE-2025-0495

Título es
CVE-2025-0495

Lun, 17/03/2025 – 20:15

Tipo
CWE-532

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-0495

Descripción en
Buildx is a Docker CLI plugin that extends build capabilities using BuildKit.

Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry traces as part of the arguments and flags for the traced CLI command. OpenTelemetry traces are also saved in BuildKit daemon's history records.

This vulnerability does not impact secrets passed to the Github cache backend via environment variables or registry authentication.

17/03/2025

17/03/2025

Vector CVSS:4.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Gravedad 4.0
4.10

Gravedad 4.0 txt
MEDIUM

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

Enviar en el boletín
Off