CVE-2024-23653
Published: 31 January 2024
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources.
Notes
Author | Note |
---|---|
alexmurray | Traditionally the docker.io source package contained both the library and docker application. However, in releases that contain the docker.io-app source package, the docker.io source package contains only the library whilst the docker application itself is contained in the docker.io-app package. |
sbeattie | docker packages contain an embedded copy of github:moby/buildkit |
Priority
Status
Package | Release | Status |
---|---|---|
docker.io Launchpad, Ubuntu, Debian |
bionic |
Needed
|
focal |
Needed
|
|
jammy |
Needed
|
|
mantic |
Needed
|
|
noble |
Needed
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
(code not present)
|
|
Patches: upstream: https://github.com/moby/buildkit/pull/4602/commits/65c3c9c135cba5c9e28d646e85b3c77fa93bbf0c upstream: https://github.com/moby/buildkit/pull/4602/commits/0c5daa23277e9e1fa8b2d794903cd97df95496fb |
||
docker.io-app Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Needed
|
|
jammy |
Needed
|
|
mantic |
Needed
|
|
noble |
Needed
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |