CVE-2026-33748
HIGH7.5EPSS 0.03%BuildKit Git URL subdir component can cause access to restricted files
發布日:2026/3/26修改日:2026/5/5
描述
### Impact Insufficient validation of Git URL fragment subdir components (`<url>#<ref>:<subdir>`, [docs](https://docs.docker.com/build/concepts/context/#url-fragments)) may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. ### Patches The issue has been fixed in version v0.28.1 ### Workarounds The issue affects only builds that use Git URLs with a subpath component. Avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.
受影響套件(3)
- Debian/docker.iofrom 0
- Go/github.com/moby/buildkitfrom 0, < 0.28.1
- Go/github.com/moby/buildkitfrom 0, < 0.28.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-33748
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-33748
- PATCHhttps://github.com/moby/buildkit
- WEBhttps://docs.docker.com/build/concepts/context/#url-fragments
- WEBhttps://github.com/moby/buildkit/releases/tag/v0.28.1
- WEBhttps://github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg