github.com/moby/buildkit is vulnerable to Information Disclosure. When a build request contains a Git URL with credentials, anyone with access to the build provenance attestation will be able to view the credentials issued. An attacker can use these Git credentials to access repositories.
github.com/advisories/GHSA-gc89-7gcr-jxqc
github.com/moby/buildkit/commit/3abd1ef0c195cdc078d1657cb50f62a2cdc26f8f
github.com/moby/buildkit/commit/75123c696506bdbca1ed69906479e200f1b62604
github.com/moby/buildkit/security/advisories/GHSA-gc89-7gcr-jxqc
lists.fedoraproject.org/archives/list/[email protected]/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
lists.fedoraproject.org/archives/list/[email protected]/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/
lists.fedoraproject.org/archives/list/[email protected]/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/