CVE-2024-23653
CRITICAL9.8EPSS 10.3%Privilege escalation in github.com/moby/buildkit
發布日:2024/1/31修改日:2026/2/4
描述
BuildKit provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special security.insecure entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request.
受影響套件(2)
- Go/github.com/moby/buildkitfrom 0, < 0.12.5
- Go/github.com/moby/buildkitfrom 0, < 0.12.5
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-23653
- PATCHhttps://github.com/moby/buildkit
- WEBhttps://github.com/moby/buildkit/commit/5026d95aa3336e97cfe46e3764f52d08bac7a10e
- WEBhttps://github.com/moby/buildkit/commit/92cc595cfb12891d4b3ae476e067c74250e4b71e
- WEBhttps://github.com/moby/buildkit/pull/4602
- WEBhttps://github.com/moby/buildkit/releases/tag/v0.12.5
- WEBhttps://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g