CVE-2024-23651
Published: 31 January 2024
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.
Notes
| Author | Note |
|---|---|
| alexmurray | Traditionally the docker.io source package contained both the library and docker application. However, in releases that contain the docker.io-app source package, the docker.io source package contains only the library whilst the docker application itself is contained in the docker.io-app package. |
| sbeattie | docker packages contain an embedded copy of github:moby/buildkit |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
docker.io Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Needed
|
|
| jammy |
Needed
|
|
| mantic |
Needed
|
|
| noble |
Needed
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
docker.io-app Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Needed
|
|
| jammy |
Needed
|
|
| mantic |
Needed
|
|
| noble |
Needed
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.4 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |