CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
29.5%
BuildKit is a toolkit for converting source code to build artifacts in an
efficient, expressive and repeatable manner. Two malicious build steps
running in parallel sharing the same cache mounts with subpaths could cause
a race condition that can lead to files from the host system being
accessible to the build container. The issue has been fixed in v0.12.5.
Workarounds include, avoiding using BuildKit frontend from an untrusted
source or building an untrusted Dockerfile containing cache mounts with
–mount=type=cache,source=… options.
Author | Note |
---|---|
alexmurray | Traditionally the docker.io source package contained both the library and docker application. However, in releases that contain the docker.io-app source package, the docker.io source package contains only the library whilst the docker application itself is contained in the docker.io-app package. |
sbeattie | docker packages contain an embedded copy of github:moby/buildkit |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | docker.io | < any | UNKNOWN |
ubuntu | 20.04 | noarch | docker.io | < any | UNKNOWN |
ubuntu | 22.04 | noarch | docker.io | < any | UNKNOWN |
ubuntu | 24.04 | noarch | docker.io | < any | UNKNOWN |
ubuntu | 20.04 | noarch | docker.io-app | < any | UNKNOWN |
ubuntu | 22.04 | noarch | docker.io-app | < any | UNKNOWN |
ubuntu | 24.04 | noarch | docker.io-app | < any | UNKNOWN |
github.com/moby/buildkit/pull/4604
github.com/moby/buildkit/releases/tag/v0.12.5
github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv
launchpad.net/bugs/cve/CVE-2024-23651
nvd.nist.gov/vuln/detail/CVE-2024-23651
security-tracker.debian.org/tracker/CVE-2024-23651
www.cve.org/CVERecord?id=CVE-2024-23651
www.openwall.com/lists/oss-security/2019/05/28/1
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
29.5%