2262226 – (CVE-2024-23653) CVE-2024-23653 moby/buildkit: Buildkit's interactive containers API does not validate entitlements check

Bug 2262226 (CVE-2024-23653) - CVE-2024-23653 moby/buildkit: Buildkit's interactive containers API does not validate entitlements check

Summary: CVE-2024-23653 moby/buildkit: Buildkit's interactive containers API does not ...

Keywords:
Status:	NEW
Alias:	CVE-2024-23653
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2333131 2333130
Blocks:	2258742
TreeView+	depends on / blocked

Reported:	2024-02-01 09:56 UTC by TEJ RATHI
Modified:	2025-05-15 22:04 UTC (History)
CC List:	54 users (show)
Fixed In Version:	buildkit 0.12.5
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2024-02-01 09:56:46 UTC

Docker Buildkit <= v0.12.4, as used by the Docker engine. The exploitation of this issue can result in container escape to the underlying host OS when building an image using a malicious Dockerfile or upstream image (i.e, when using FROM).

https://snyk.io/blog/cve-2024-23653-buildkit-grpc-securitymode-privilege-check/
https://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g
https://github.com/moby/buildkit/pull/4602

Note You need to log in before you can comment on or make changes to this bug.

adudiak
bdettelb
brking
crizzo
davidn
dfreiber
dhanak
doconnor
drow
dsimansk
epacific
gkamathe
haoli
hkataria
jajackso
jburrell
jcammara
jhardy
jmitchel
jneedle
jobarker
jwendell
kegrant
kingland
koliveir
kshier
kverlaen
luizcosta
mabashia
matzew
mnovotny
nweather
omaciel
owatkins
pbraun
pierdipi
rcernich
rguimara
rhuss
sausingh
sdawley
shvarugh
simaishi
smcdonal
stcannon
teagle
tfister
thavo
tkral
twalsh
vkumar
yguenane
zmiele
zsadeh