BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.
References
Link | Resource |
---|---|
https://github.com/moby/buildkit/pull/4603 | Patch Vendor Advisory |
https://github.com/moby/buildkit/releases/tag/v0.12.5 | Patch Release Notes |
https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8 | Vendor Advisory |
Configurations
History
09 Feb 2024, 01:44
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:mobyproject:buildkit:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.1 |
References | () https://github.com/moby/buildkit/pull/4603 - Patch, Vendor Advisory | |
References | () https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8 - Vendor Advisory | |
References | () https://github.com/moby/buildkit/releases/tag/v0.12.5 - Patch, Release Notes | |
First Time |
Mobyproject
Mobyproject buildkit |
31 Jan 2024, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-31 22:15
Updated : 2024-02-28 20:54
NVD link : CVE-2024-23652
Mitre link : CVE-2024-23652
CVE.ORG link : CVE-2024-23652
JSON object : View
Products Affected
mobyproject
- buildkit
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')