CVE-2024-23651

HIGH8.7EPSS 0.55%

BuildKit vulnerable to possible race condition with accessing subpaths from cache mounts

發布日:2024/1/31修改日:2026/2/4

描述

### Impact Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. ### Patches The issue has been fixed in v0.12.5 ### Workarounds Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with `--mount=type=cache,source=...` options. ### References https://www.openwall.com/lists/oss-security/2019/05/28/1

受影響套件(2)

Go/github.com/moby/buildkitfrom 0, < 0.12.5
Go/github.com/moby/buildkitfrom 0, < 0.12.5

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-23651
PATCHhttps://github.com/moby/buildkit
WEBhttps://github.com/moby/buildkit/pull/4604
WEBhttps://github.com/moby/buildkit/releases/tag/v0.12.5
WEBhttps://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv