Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-hxze-9pjx-kqc8

Summary

Buildkit credentials inlined to Git URLs could end up in provenance attestation
When the user sends a build request that contains a Git URL that contains credentials and the build creates a provenance attestation describing that build, these credentials could be visible from the provenance attestation.

Git URL can be passed in two ways:

1) Invoking build directly from a URL with credentials.

```
buildctl build --frontend dockerfile.v0 --context https://<credentials>@url/repo.git
```

Equivalent in `docker buildx` would be

```
docker buildx build https://<credentials>@url/repo.git
```

2) If the client sends additional VCS info hint parameters on builds from a local source. Usually, that would mean reading the origin URL from `.git/config` file.

Thanks to Oscar Alberto Tovar for discovering the issue.

### Impact
When a build is performed under specific conditions where credentials were passed to BuildKit they may be visible to everyone who has access to provenance attestation.

Provenance attestations and VCS info hints were added in version v0.11.0. Previous versions are not vulnerable.

In v0.10, when building directly from Git URL, the same URL could be visible in `BuildInfo` structure that is a predecessor of Provenance attestations. Previous versions are not vulnerable.

Note: [Docker Build-push Github action](https://github.com/docker/build-push-action) builds from Git URLs by default but **is not** affected by this issue even when working with private repositories because the credentials are passed [with build secrets](https://github.com/docker/build-push-action/blob/v4.0.0/src/context.ts#L203) and not with URLs.

### Patches
Bug is fixed in v0.11.4 .

### Workarounds
It is recommended to pass credentials with build secrets when building directly from Git URL as a more secure alternative than modifying the URL.

In Docker Buildx, VCS info hint can be disabled by setting `BUILDX_GIT_INFO=0`. `buildctl` does not set VCS hints based on `.git` directory, and values would need to be passed manually with `--opt`.

### References
- Inline credentials in URLs deprecated in RFC3986 https://www.rfc-editor.org/rfc/rfc3986#section-3.2.1

Aliases

alias	CVE-2023-26054

alias	GHSA-gc89-7gcr-jxqc

Fixed_packages

url	pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=v3.22&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=v3.22&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armhf&distroversion=v3.22&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=v3.22&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=v3.22&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=s390x&distroversion=v3.22&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=v3.19&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=v3.19&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armv7&distroversion=v3.19&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=v3.19&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=v3.19&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=ppc64le&distroversion=v3.19&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=v3.19&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=v3.19&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=s390x&distroversion=v3.19&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=edge&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=edge&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86&distroversion=edge&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=v3.20&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=v3.20&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=ppc64le&distroversion=v3.20&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=v3.22&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=v3.22&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86&distroversion=v3.22&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=v3.22&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=v3.22&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86_64&distroversion=v3.22&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=v3.22&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=v3.22&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=aarch64&distroversion=v3.22&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=riscv64&distroversion=v3.22&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=riscv64&distroversion=v3.22&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=riscv64&distroversion=v3.22&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=v3.23&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=v3.23&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=aarch64&distroversion=v3.23&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=v3.23&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=v3.23&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armhf&distroversion=v3.23&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=v3.23&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=v3.23&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armv7&distroversion=v3.23&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=loongarch64&distroversion=v3.23&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=loongarch64&distroversion=v3.23&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=loongarch64&distroversion=v3.23&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=v3.21&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=v3.21&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armv7&distroversion=v3.21&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=v3.19&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=v3.19&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=aarch64&distroversion=v3.19&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=edge&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=edge&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armhf&distroversion=edge&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=loongarch64&distroversion=edge&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=loongarch64&distroversion=edge&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=loongarch64&distroversion=edge&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=edge&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=edge&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=ppc64le&distroversion=edge&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=riscv64&distroversion=edge&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=riscv64&distroversion=edge&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=riscv64&distroversion=edge&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=edge&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=edge&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=s390x&distroversion=edge&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=edge&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=edge&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86_64&distroversion=edge&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=v3.18&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=v3.18&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armhf&distroversion=v3.18&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=v3.18&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=v3.18&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armv7&distroversion=v3.18&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=v3.18&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=v3.18&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=ppc64le&distroversion=v3.18&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=v3.18&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=v3.18&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=s390x&distroversion=v3.18&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=v3.18&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=v3.18&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86&distroversion=v3.18&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=v3.18&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=v3.18&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86_64&distroversion=v3.18&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=v3.20&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=v3.20&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=aarch64&distroversion=v3.20&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=v3.20&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=v3.20&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armhf&distroversion=v3.20&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=riscv64&distroversion=v3.20&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=riscv64&distroversion=v3.20&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=riscv64&distroversion=v3.20&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=v3.20&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=v3.20&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=s390x&distroversion=v3.20&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=v3.20&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=v3.20&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86_64&distroversion=v3.20&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=v3.19&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=v3.19&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armhf&distroversion=v3.19&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=v3.22&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=v3.22&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armv7&distroversion=v3.22&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=loongarch64&distroversion=v3.22&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=loongarch64&distroversion=v3.22&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=loongarch64&distroversion=v3.22&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=v3.22&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=v3.22&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=ppc64le&distroversion=v3.22&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=v3.23&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=v3.23&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=ppc64le&distroversion=v3.23&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=riscv64&distroversion=v3.23&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=riscv64&distroversion=v3.23&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=riscv64&distroversion=v3.23&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=v3.23&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=v3.23&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=s390x&distroversion=v3.23&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=v3.23&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=v3.23&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86&distroversion=v3.23&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=v3.23&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=v3.23&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86_64&distroversion=v3.23&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=v3.21&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=v3.21&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=aarch64&distroversion=v3.21&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=v3.21&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=v3.21&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armhf&distroversion=v3.21&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=loongarch64&distroversion=v3.21&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=loongarch64&distroversion=v3.21&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=loongarch64&distroversion=v3.21&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=v3.21&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=v3.21&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=ppc64le&distroversion=v3.21&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=riscv64&distroversion=v3.21&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=riscv64&distroversion=v3.21&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=riscv64&distroversion=v3.21&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=v3.21&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=v3.21&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=s390x&distroversion=v3.21&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=v3.21&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=v3.21&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86&distroversion=v3.21&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=v3.21&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=v3.21&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86_64&distroversion=v3.21&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=v3.19&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=v3.19&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86&distroversion=v3.19&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=v3.19&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=v3.19&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86_64&distroversion=v3.19&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=edge&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=edge&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=aarch64&distroversion=edge&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=edge&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=edge&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armv7&distroversion=edge&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=v3.18&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=v3.18&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=aarch64&distroversion=v3.18&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=v3.20&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=v3.20&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armv7&distroversion=v3.20&reponame=community

url	pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=v3.20&reponame=community
purl	pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=v3.20&reponame=community
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86&distroversion=v3.20&reponame=community

url	pkg:ebuild/app-containers/docker@25.0.4
purl	pkg:ebuild/app-containers/docker@25.0.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:ebuild/app-containers/docker@25.0.4

url	pkg:golang/github.com/moby/buildkit@0.11.4
purl	pkg:golang/github.com/moby/buildkit@0.11.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:golang/github.com/moby/buildkit@0.11.4

Affected_packages

References

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26054.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26054.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-26054

reference_id

reference_type

scores

value	0.01033
scoring_system	epss
scoring_elements	0.7739
published_at	2026-04-21T12:55:00Z

value	0.01033
scoring_system	epss
scoring_elements	0.77308
published_at	2026-04-02T12:55:00Z

value	0.01033
scoring_system	epss
scoring_elements	0.77337
published_at	2026-04-04T12:55:00Z

value	0.01033
scoring_system	epss
scoring_elements	0.77317
published_at	2026-04-07T12:55:00Z

value	0.01033
scoring_system	epss
scoring_elements	0.77347
published_at	2026-04-08T12:55:00Z

value	0.01033
scoring_system	epss
scoring_elements	0.77356
published_at	2026-04-09T12:55:00Z

value	0.01033
scoring_system	epss
scoring_elements	0.77383
published_at	2026-04-11T12:55:00Z

value	0.01033
scoring_system	epss
scoring_elements	0.77363
published_at	2026-04-12T12:55:00Z

value	0.01033
scoring_system	epss
scoring_elements	0.7736
published_at	2026-04-13T12:55:00Z

value	0.01033
scoring_system	epss
scoring_elements	0.77399
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-26054

reference_url

https://github.com/moby/buildkit

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/moby/buildkit

reference_url

https://github.com/moby/buildkit/commit/75123c696506bdbca1ed69906479e200f1b62604

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:19Z/

url

https://github.com/moby/buildkit/commit/75123c696506bdbca1ed69906479e200f1b62604

reference_url

https://github.com/moby/buildkit/security/advisories/GHSA-gc89-7gcr-jxqc

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:19Z/

url

https://github.com/moby/buildkit/security/advisories/GHSA-gc89-7gcr-jxqc

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-26054

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-26054

reference_url

https://www.rfc-editor.org/rfc/rfc3986#section-3.2.1

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.rfc-editor.org/rfc/rfc3986#section-3.2.1

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2176447
reference_id	2176447
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2176447

reference_url	https://security.gentoo.org/glsa/202409-29
reference_id	GLSA-202409-29
reference_type
scores
url	https://security.gentoo.org/glsa/202409-29

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/

reference_id

LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:19Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/

reference_url	https://access.redhat.com/errata/RHSA-2023:3537
reference_id	RHSA-2023:3537
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3537

reference_url	https://access.redhat.com/errata/RHSA-2023:5952
reference_id	RHSA-2023:5952
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:5952

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/

reference_id

XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:19Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/

reference_id

ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:19Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/

Weaknesses

cwe_id	200
name	Exposure of Sensitive Information to an Unauthorized Actor
description	The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Exploits

Severity_range_score 4.0 - 6.9

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hxze-9pjx-kqc8

Vulnerability Instance