Headline
GHSA-4v98-7qmw-rqr8: BuildKit vulnerable to possible host system access from mount stub cleaner
Impact
A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system.
Patches
The issue has been fixed in v0.12.5
Workarounds
Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.
References
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-23652
BuildKit vulnerable to possible host system access from mount stub cleaner
High severity GitHub Reviewed Published Jan 31, 2024 in moby/buildkit • Updated Jan 31, 2024
Package
gomod github.com/moby/buildkit (Go)
Affected versions
< 0.12.5
Impact
A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system.
Patches
The issue has been fixed in v0.12.5
Workarounds
Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.
References****References
- GHSA-4v98-7qmw-rqr8
- moby/buildkit#4603
Published to the GitHub Advisory Database
Jan 31, 2024
Last updated
Jan 31, 2024
Related news
Gentoo Linux Security Advisory 202407-25 - Multiple vulnerabilities have been discovered in Buildah, the worst of which could lead to privilege escalation. Versions greater than or equal to 1.35.3 are affected.
Gentoo Linux Security Advisory 202407-12 - Multiple vulnerabilities have been discovered in Podman, the worst of which could lead to privilege escalation. Versions greater than or equal to 4.9.4 are affected.
Multiple security vulnerabilities have been disclosed in the runC command line tool that could be exploited by threat actors to escape the bounds of the container and stage follow-on attacks. The vulnerabilities, tracked as CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, have been collectively dubbed Leaky Vessels by cybersecurity vendor Snyk. "These container