BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.
References
Link | Resource |
---|---|
https://github.com/moby/buildkit/pull/4603 | Patch Vendor Advisory |
https://github.com/moby/buildkit/releases/tag/v0.12.5 | Patch Release Notes |
https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8 | Vendor Advisory |
https://github.com/moby/buildkit/pull/4603 | Patch Vendor Advisory |
https://github.com/moby/buildkit/releases/tag/v0.12.5 | Patch Release Notes |
https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8 | Vendor Advisory |
Configurations
History
21 Nov 2024, 08:58
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/moby/buildkit/pull/4603 - Patch, Vendor Advisory | |
References | () https://github.com/moby/buildkit/releases/tag/v0.12.5 - Patch, Release Notes | |
References | () https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8 - Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 10.0 |
09 Feb 2024, 01:44
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:mobyproject:buildkit:*:*:*:*:*:*:*:* | |
First Time |
Mobyproject
Mobyproject buildkit |
|
References | () https://github.com/moby/buildkit/pull/4603 - Patch, Vendor Advisory | |
References | () https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8 - Vendor Advisory | |
References | () https://github.com/moby/buildkit/releases/tag/v0.12.5 - Patch, Release Notes | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.1 |
31 Jan 2024, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-31 22:15
Updated : 2024-11-21 08:58
NVD link : CVE-2024-23652
Mitre link : CVE-2024-23652
CVE.ORG link : CVE-2024-23652
JSON object : View
Products Affected
mobyproject
- buildkit
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')