SCA: security update for github.com/docker/buildx (GHSA-m4gq-fm9h-8q75)

medium Tenable Cloud Security Plugin ID 421140

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Buildx is a Docker CLI plugin that extends build capabilities using BuildKit. Cache backends support
credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When
supplied as user input, these secure values may be inadvertently captured in OpenTelemetry traces as part
of the arguments and flags for the traced CLI command. OpenTelemetry traces are also saved in BuildKit
daemon's history records. This vulnerability does not impact secrets passed to the Github cache backend
via environment variables or registry authentication. (CVE-2025-0495)

See Also

https://github.com/advisories/GHSA-m4gq-fm9h-8q75

Plugin Details

Severity: Medium

ID: 421140

Version: Revision 1.13

Type: Local

Family: SCA Checks

Published: 3/18/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.3

Percentile: 51.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2025-0495

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 4.1

Threat Score: 0.8

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/17/2025

Vulnerability Publication Date: 3/17/2025

Reference Information

CVE: CVE-2025-0495

cwe: CWE-532