CVE-2024-23652 – github.com/moby/buildkit

Package

Manager: go
Name: github.com/moby/buildkit
Vulnerable Version: >=0 <0.12.5

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H

EPSS: 0.03842 pctl0.87726

Details

BuildKit vulnerable to possible host system access from mount stub cleaner ### Impact A malicious BuildKit frontend or Dockerfile using `RUN --mount` could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. ### Patches The issue has been fixed in v0.12.5 ### Workarounds Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing `RUN --mount` feature. ### References

Metadata

Created: 2024-01-31T22:43:26Z
Modified: 2024-02-01T17:48:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-4v98-7qmw-rqr8/GHSA-4v98-7qmw-rqr8.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-4v98-7qmw-rqr8
Finding: F063
Auto approve: 1