Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2024-23653

Published: 31 January 2024

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources.

Notes

AuthorNote
alexmurray
Traditionally the docker.io source package contained both the
library and docker application. However, in releases that
contain the
docker.io-app source package, the docker.io source package
contains only
the library whilst the docker application itself is contained
in the
docker.io-app package.
sbeattie
docker packages contain an embedded copy of github:moby/buildkit

Priority

Medium

Cvss 3 Severity Score

9.8

Score breakdown

Status

Package Release Status
docker.io
Launchpad, Ubuntu, Debian
bionic Needed

focal Needed

jammy Needed

mantic Needed

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Not vulnerable
(code not present)
Patches:
upstream: https://github.com/moby/buildkit/pull/4602/commits/65c3c9c135cba5c9e28d646e85b3c77fa93bbf0c
upstream: https://github.com/moby/buildkit/pull/4602/commits/0c5daa23277e9e1fa8b2d794903cd97df95496fb
docker.io-app
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Needed

jammy Needed

mantic Needed

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Does not exist

Severity score breakdown

Parameter Value
Base score 9.8
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H