Vulnerability Description
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mobyproject | Buildkit | < 0.12.5 |
Related Weaknesses (CWE)
References
- https://github.com/moby/buildkit/pull/4602PatchVendor Advisory
- https://github.com/moby/buildkit/releases/tag/v0.12.5PatchRelease Notes
- https://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2gVendor Advisory
- https://github.com/moby/buildkit/pull/4602PatchVendor Advisory
- https://github.com/moby/buildkit/releases/tag/v0.12.5PatchRelease Notes
- https://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2gVendor Advisory
FAQ
What is CVE-2024-23653?
CVE-2024-23653 is a vulnerability with a CVSS score of 9.8 (CRITICAL). BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for...
How severe is CVE-2024-23653?
CVE-2024-23653 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-23653?
Check the references section above for vendor advisories and patch information. Affected products include: Mobyproject Buildkit.