BuildKit vulnerable to possible host system access from mount stub cleaner

🗓️ 31 Jan 2024 22:43:26Reported by GitHub Advisory DatabaseType

BuildKit vulnerable to host system access from mount stub cleaner. Malicious frontend/Dockerfile using `RUN --mount` could remove file outside container. Fixed in v0.12.

Reporter	Title	Published	Views	Family All 143
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse on Cloud Pak for Data	30 Sep 202416:56	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in CloudPak for AIOps	28 Feb 202417:16	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Concert Software is vulnerable to multiple issues	22 Aug 202417:47	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Moby BuildKit affect IBM watsonx.data	18 Sep 202420:03	–	ibm
Tenable Nessus	Amazon Linux 2023 : docker (ALAS2023-2024-542)	6 Mar 202400:00	–	nessus
Tenable Nessus	Amazon Linux 2 : docker (ALASDOCKER-2024-044)	29 Aug 202400:00	–	nessus
Tenable Nessus	Amazon Linux 2 : docker (ALASECS-2024-041)	5 Sep 202400:00	–	nessus
Tenable Nessus	Amazon Linux 2 : docker (ALASNITRO-ENCLAVES-2024-045)	29 Aug 202400:00	–	nessus
Tenable Nessus	Docker Desktop < 4.27.1 Multiple Vulnerabilities	9 Feb 202400:00	–	nessus
Tenable Nessus	GLSA-202407-12 : podman: Multiple Vulnerabilities	5 Jul 202400:00	–	nessus

Vulners

Node

moby buildkitRange<0.12.5go

Source	Link
github	www.github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8
github	www.github.com/moby/buildkit/pull/4603
nvd	www.nvd.nist.gov/vuln/detail/CVE-2024-23652
github	www.github.com/moby/buildkit/releases/tag/v0.12.5
github	www.github.com/advisories/GHSA-4v98-7qmw-rqr8

01 Feb 2024 17:48Current

7High risk

Vulners AI Score7

CVSS 3.19.1 - 10

EPSS0.05701

SSVC

CWE-22