CVE-2024-23651

EUVD-2024-0383
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.
Race Condition
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.7 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
GitHub_MCNA
8.7 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 67%
Affected Products (NVD)
VendorProductVersion
mobyprojectbuildkit
𝑥
< 0.12.5
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
docker.io
bionic
Fixed 20.10.21-0ubuntu1~18.04.3+esm3
released
focal
Fixed 20.10.21-0ubuntu1~20.04.6+esm2
released
jammy
Fixed 20.10.21-0ubuntu1~22.04.7+esm2
released
mantic
ignored
noble
Fixed 20.10.25+dfsg1-2ubuntu1+esm2
released
oracular
ignored
plucky
needed
questing
needed
trusty
ignored
xenial
not-affected
docker.io-app
bionic
dne
focal
needed
jammy
Fixed 27.5.1-0ubuntu3~22.04.2
released
mantic
ignored
noble
Fixed 27.5.1-0ubuntu3~24.04.2
released
oracular
ignored
plucky
not-affected
questing
not-affected
trusty
ignored
xenial
dne
Common Weakness Enumeration
References
https://github.com/moby/buildkit/pull/4604
https://github.com/moby/buildkit/releases/tag/v0.12.5
https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv
https://github.com/moby/buildkit/pull/4604
https://github.com/moby/buildkit/releases/tag/v0.12.5
https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv