9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.3 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
30.0%
BuildKit is a toolkit for converting source code to build artifacts in an
efficient, expressive and repeatable manner. In addition to running
containers as build steps, BuildKit also provides APIs for running
interactive containers based on built images. It was possible to use these
APIs to ask BuildKit to run a container with elevated privileges. Normally,
running such containers is only allowed if special security.insecure
entitlement is enabled both by buildkitd configuration and allowed by the
user initializing the build request. The issue has been fixed in v0.12.5 .
Avoid using BuildKit frontends from untrusted sources.
Author | Note |
---|---|
alexmurray | Traditionally the docker.io source package contained both the library and docker application. However, in releases that contain the docker.io-app source package, the docker.io source package contains only the library whilst the docker application itself is contained in the docker.io-app package. |
sbeattie | docker packages contain an embedded copy of github:moby/buildkit |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | docker.io | < any | UNKNOWN |
ubuntu | 20.04 | noarch | docker.io | < any | UNKNOWN |
ubuntu | 22.04 | noarch | docker.io | < any | UNKNOWN |
ubuntu | 23.10 | noarch | docker.io | < any | UNKNOWN |
ubuntu | 24.04 | noarch | docker.io | < any | UNKNOWN |
ubuntu | 20.04 | noarch | docker.io-app | < any | UNKNOWN |
ubuntu | 22.04 | noarch | docker.io-app | < any | UNKNOWN |
ubuntu | 23.10 | noarch | docker.io-app | < any | UNKNOWN |
ubuntu | 24.04 | noarch | docker.io-app | < any | UNKNOWN |
github.com/moby/buildkit/pull/4602
github.com/moby/buildkit/releases/tag/v0.12.5
github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g
launchpad.net/bugs/cve/CVE-2024-23653
nvd.nist.gov/vuln/detail/CVE-2024-23653
security-tracker.debian.org/tracker/CVE-2024-23653
www.cve.org/CVERecord?id=CVE-2024-23653
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.3 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
30.0%