CVE-2024-23651

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/moby/buildkit/pull/4604	Patch Vendor Advisory
https://github.com/moby/buildkit/releases/tag/v0.12.5	Patch Release Notes
https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mobyproject:buildkit:*:*:*:*:*:*:*:*

History

09 Feb 2024, 01:43

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.4
First Time		Mobyproject Mobyproject buildkit
CPE		cpe:2.3:a:mobyproject:buildkit::::::::
References	~~() https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv -~~	() https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv - Vendor Advisory
References	~~() https://github.com/moby/buildkit/pull/4604 -~~	() https://github.com/moby/buildkit/pull/4604 - Patch, Vendor Advisory
References	~~() https://github.com/moby/buildkit/releases/tag/v0.12.5 -~~	() https://github.com/moby/buildkit/releases/tag/v0.12.5 - Patch, Release Notes

31 Jan 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-31 22:15

Updated : 2024-02-28 20:54

NVD link : CVE-2024-23651

Mitre link : CVE-2024-23651

CVE.ORG link : CVE-2024-23651

JSON object : View

Products Affected

mobyproject

buildkit

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

{"id": "CVE-2024-23651", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.2}]}, "published": "2024-01-31T22:15:54.183", "references": [{"url": "https://github.com/moby/buildkit/pull/4604", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/moby/buildkit/releases/tag/v0.12.5", "tags": ["Patch", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.\n"}, {"lang": "es", "value": "BuildKit es un conjunto de herramientas para convertir c\u00f3digo fuente para crear artefactos de manera eficiente, expresiva y repetible. Dos pasos de compilaci\u00f3n maliciosos que se ejecutan en paralelo y comparten los mismos montajes de cach\u00e9 con subrutas podr\u00edan causar una condici\u00f3n de ejecuci\u00f3n que puede hacer que los archivos del sistema host sean accesibles al contenedor de compilaci\u00f3n. El problema se solucion\u00f3 en v0.12.5. Los workarounds incluyen evitar el uso de la interfaz de BuildKit desde una fuente que no es de confianza o crear un Dockerfile que no sea de confianza que contenga montajes de cach\u00e9 con las opciones --mount=type=cache,source=...."}], "lastModified": "2024-02-09T01:43:51.767", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mobyproject:buildkit:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0AAE2F08-4E4D-4B85-8230-8D5BA7788D3D", "versionEndExcluding": "0.12.5"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}