{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/31318?format=json","vulnerability_id":"VCID-hxze-9pjx-kqc8","summary":"Buildkit credentials inlined to Git URLs could end up in provenance attestation\nWhen the user sends a build request that contains a Git URL that contains credentials and the build creates a provenance attestation describing that build, these credentials could be visible from the provenance attestation.\n\nGit URL can be passed in two ways:\n\n1) Invoking build directly from a URL with credentials.\n\n```\nbuildctl build --frontend dockerfile.v0 --context https://<credentials>@url/repo.git\n```\n\nEquivalent in `docker buildx` would be\n\n```\ndocker buildx build https://<credentials>@url/repo.git\n```\n\n2) If the client sends additional VCS info hint parameters on builds from a local source. Usually, that would mean reading the origin URL from `.git/config` file. \n\nThanks to Oscar Alberto Tovar for discovering the issue.\n\n### Impact\nWhen a build is performed under specific conditions where credentials were passed to BuildKit they may be visible to everyone who has access to provenance attestation.\n\nProvenance attestations and VCS info hints were added in version v0.11.0. Previous versions are not vulnerable.\n\nIn v0.10, when building directly from Git URL, the same URL could be visible in `BuildInfo` structure that is a predecessor of Provenance attestations. Previous versions are not vulnerable.\n\nNote: [Docker Build-push Github action](https://github.com/docker/build-push-action) builds from Git URLs by default but **is not** affected by this issue even when working with private repositories because the credentials are passed [with build secrets](https://github.com/docker/build-push-action/blob/v4.0.0/src/context.ts#L203) and not with URLs.\n\n### Patches\nBug is fixed in v0.11.4 . \n\n### Workarounds\nIt is recommended to pass credentials with build secrets when building directly from Git URL as a more secure alternative than modifying the URL.\n\nIn Docker Buildx, VCS info hint can be disabled by setting `BUILDX_GIT_INFO=0`. `buildctl` does not set VCS hints based on `.git` directory, and values would need to be passed manually with `--opt`.\n\n\n### References\n- Inline credentials in URLs deprecated in RFC3986 https://www.rfc-editor.org/rfc/rfc3986#section-3.2.1","aliases":[{"alias":"CVE-2023-26054"},{"alias":"GHSA-gc89-7gcr-jxqc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/462988?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=v3.22&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=ppc64le&distroversion=v3.22&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/530034?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=aarch64&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/530040?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=s390x&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/546969?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=v3.19&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86&distroversion=v3.19&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/559897?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=edge&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=s390x&distroversion=edge&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/559898?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=edge&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86&distroversion=edge&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/1042082?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=v3.20&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=ppc64le&distroversion=v3.20&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/462985?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=v3.22&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armhf&distroversion=v3.22&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/462990?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=v3.22&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=s390x&distroversion=v3.22&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/530035?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armhf&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/530041?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/537005?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=v3.21&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armv7&distroversion=v3.21&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/546966?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=v3.19&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armv7&distroversion=v3.19&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/1015200?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=v3.18&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=aarch64&distroversion=v3.18&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/1015201?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=v3.18&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armhf&distroversion=v3.18&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/462991?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=v3.22&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86&distroversion=v3.22&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/462984?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=v3.22&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=aarch64&distroversion=v3.22&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/1042080?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=v3.20&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armhf&distroversion=v3.20&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/462989?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=riscv64&distroversion=v3.22&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=riscv64&distroversion=v3.22&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/462992?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=v3.22&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86_64&distroversion=v3.22&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/559892?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=edge&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armhf&distroversion=edge&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/530036?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armv7&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/530037?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=loongarch64&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=loongarch64&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/546967?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=v3.19&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=ppc64le&distroversion=v3.19&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/546968?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=v3.19&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=s390x&distroversion=v3.19&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/559891?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=edge&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=aarch64&distroversion=edge&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/559894?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=loongarch64&distroversion=edge&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=loongarch64&distroversion=edge&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/1015202?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=v3.18&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armv7&distroversion=v3.18&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/1015203?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=v3.18&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=ppc64le&distroversion=v3.18&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/1015204?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=v3.18&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=s390x&distroversion=v3.18&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/1015205?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=v3.18&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86&distroversion=v3.18&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/1015206?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=v3.18&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86_64&distroversion=v3.18&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/546965?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=v3.19&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armhf&distroversion=v3.19&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/1042079?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=v3.20&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=aarch64&distroversion=v3.20&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/1042081?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=v3.20&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armv7&distroversion=v3.20&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/1042083?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=riscv64&distroversion=v3.20&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=riscv64&distroversion=v3.20&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/1042084?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=v3.20&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=s390x&distroversion=v3.20&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/1042085?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=v3.20&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86&distroversion=v3.20&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/462986?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=v3.22&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armv7&distroversion=v3.22&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/462987?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=loongarch64&distroversion=v3.22&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=loongarch64&distroversion=v3.22&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/530038?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=ppc64le&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/530039?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=riscv64&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=riscv64&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/530042?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=v3.23&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86_64&distroversion=v3.23&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/537003?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=v3.21&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=aarch64&distroversion=v3.21&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/537004?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=armhf&distroversion=v3.21&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armhf&distroversion=v3.21&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/537006?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=loongarch64&distroversion=v3.21&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=loongarch64&distroversion=v3.21&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/537007?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=v3.21&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=ppc64le&distroversion=v3.21&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/537008?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=riscv64&distroversion=v3.21&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=riscv64&distroversion=v3.21&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/537009?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=s390x&distroversion=v3.21&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=s390x&distroversion=v3.21&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/537010?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=x86&distroversion=v3.21&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86&distroversion=v3.21&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/537011?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=v3.21&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86_64&distroversion=v3.21&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/559893?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=armv7&distroversion=edge&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=armv7&distroversion=edge&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/546964?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=aarch64&distroversion=v3.19&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=aarch64&distroversion=v3.19&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/546970?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=v3.19&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86_64&distroversion=v3.19&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/559895?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=ppc64le&distroversion=edge&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=ppc64le&distroversion=edge&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/559896?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=riscv64&distroversion=edge&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=riscv64&distroversion=edge&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/559899?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=edge&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86_64&distroversion=edge&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/1042086?format=json","purl":"pkg:apk/alpine/docker@23.0.2-r0?arch=x86_64&distroversion=v3.20&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/docker@23.0.2-r0%3Farch=x86_64&distroversion=v3.20&reponame=community"},{"url":"http://public2.vulnerablecode.io/api/packages/84650?format=json","purl":"pkg:ebuild/app-containers/docker@25.0.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:ebuild/app-containers/docker@25.0.4"},{"url":"http://public2.vulnerablecode.io/api/packages/71841?format=json","purl":"pkg:golang/github.com/moby/buildkit@0.11.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/moby/buildkit@0.11.4"}],"affected_packages":[],"references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26054.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26054.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-26054","reference_id":"","reference_type":"","scores":[{"value":"0.01033","scoring_system":"epss","scoring_elements":"0.77452","published_at":"2026-05-05T12:55:00Z"},{"value":"0.01033","scoring_system":"epss","scoring_elements":"0.77444","published_at":"2026-04-29T12:55:00Z"},{"value":"0.01033","scoring_system":"epss","scoring_elements":"0.77431","published_at":"2026-04-26T12:55:00Z"},{"value":"0.01033","scoring_system":"epss","scoring_elements":"0.77425","published_at":"2026-04-24T12:55:00Z"},{"value":"0.01033","scoring_system":"epss","scoring_elements":"0.7739","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01033","scoring_system":"epss","scoring_elements":"0.77399","published_at":"2026-04-18T12:55:00Z"},{"value":"0.01033","scoring_system":"epss","scoring_elements":"0.7736","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01033","scoring_system":"epss","scoring_elements":"0.77363","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01033","scoring_system":"epss","scoring_elements":"0.77383","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01033","scoring_system":"epss","scoring_elements":"0.77356","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01033","scoring_system":"epss","scoring_elements":"0.77347","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01033","scoring_system":"epss","scoring_elements":"0.77317","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01033","scoring_system":"epss","scoring_elements":"0.77337","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01033","scoring_system":"epss","scoring_elements":"0.77308","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-26054"},{"reference_url":"https://github.com/moby/buildkit","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/moby/buildkit"},{"reference_url":"https://github.com/moby/buildkit/commit/75123c696506bdbca1ed69906479e200f1b62604","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:19Z/"}],"url":"https://github.com/moby/buildkit/commit/75123c696506bdbca1ed69906479e200f1b62604"},{"reference_url":"https://github.com/moby/buildkit/security/advisories/GHSA-gc89-7gcr-jxqc","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:19Z/"}],"url":"https://github.com/moby/buildkit/security/advisories/GHSA-gc89-7gcr-jxqc"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26054","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26054"},{"reference_url":"https://www.rfc-editor.org/rfc/rfc3986#section-3.2.1","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.rfc-editor.org/rfc/rfc3986#section-3.2.1"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2176447","reference_id":"2176447","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2176447"},{"reference_url":"https://security.gentoo.org/glsa/202409-29","reference_id":"GLSA-202409-29","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202409-29"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/","reference_id":"LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:19Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3537","reference_id":"RHSA-2023:3537","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3537"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:5952","reference_id":"RHSA-2023:5952","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:5952"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/","reference_id":"XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:19Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/","reference_id":"ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:19Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"}],"weaknesses":[{"cwe_id":200,"name":"Exposure of Sensitive Information to an Unauthorized Actor","description":"The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information."}],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hxze-9pjx-kqc8"}