CVE-2024-23651
Last modified
CVE-2024-23651 is a high-severity vulnerability rated 7.4/10 on the CVSS scale. BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. EPSS estimates a 0.79% chance of exploitation in the next 30 days.
Description
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mobyproject | Buildkit | < 0.12.5 |
References
- https://github.com/moby/buildkit/pull/4604Patch, Vendor Advisory
- https://github.com/moby/buildkit/releases/tag/v0.12.5Patch, Release Notes
- https://github.com/moby/buildkit/pull/4604Patch, Vendor Advisory
- https://github.com/moby/buildkit/releases/tag/v0.12.5Patch, Release Notes
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2024-23651?
How severe is CVE-2024-23651?
How do I fix CVE-2024-23651?
Are you affected by CVE-2024-23651?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST