CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
29.5%
A race condition issue was found in the Moby Builder Toolkit, stemming from a time-of-check/time-of-use (TOCTOU) vulnerability during cache volume mounting at container build time. Concurrent execution of two malicious build steps, sharing the same cache mounts with subpaths, may result in files from the host system being accessible to the build container. Successful exploitation could lead to a container escape to the underlying host OS when building an image using a malicious Dockerfile or upstream image (for example, when using FROM).
Do not use BuildKit frontends or Dockerfiles from untrusted sources.
bugzilla.redhat.com/show_bug.cgi?id=2262224
github.com/moby/buildkit/pull/4604
github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv
nvd.nist.gov/vuln/detail/CVE-2024-23651
snyk.io/blog/cve-2024-23651-docker-buildkit-mount-cache-race/
www.cve.org/CVERecord?id=CVE-2024-23651
www.openwall.com/lists/oss-security/2019/05/28/1
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
29.5%