CVE-2024-23651
HIGHBuildKit < 0.12.5 - Unauthenticated Race Condition via Cache Mount Subpaths
Title source: llmDescription
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv
Patch, Vendor Advisory x_refsource_misc
https://github.com/moby/buildkit/pull/4604
Patch, Release Notes x_refsource_misc
https://github.com/moby/buildkit/releases/tag/v0.12.5
Scores
CVSS v3
8.7
EPSS
0.0079
EPSS Percentile
51.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-362
Status
published
Products (2)
moby/buildkit
0 - 0.12.5Go
mobyproject/buildkit
< 0.12.5
Published
Jan 31, 2024
Tracked Since
Feb 18, 2026