2262224 – (CVE-2024-23651) CVE-2024-23651 moby/buildkit: possible race condition with accessing subpaths from cache mounts

Bug 2262224 (CVE-2024-23651) - CVE-2024-23651 moby/buildkit: possible race condition with accessing subpaths from cache mounts

Summary: CVE-2024-23651 moby/buildkit: possible race condition with accessing subpaths...

Keywords:
Status:	NEW
Alias:	CVE-2024-23651
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2258742
TreeView+	depends on / blocked

Reported:	2024-02-01 09:56 UTC by TEJ RATHI
Modified:	2025-05-06 08:28 UTC (History)
CC List:	39 users (show)
Fixed In Version:	buildkit 0.12.5
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2024-02-01 09:56:25 UTC

Docker Buildkit <=v0.12.4, as used by the Docker engine. The exploitation of this issue can result in container escape to the underlying host OS when building an image using a malicious Dockerfile or upstream image (i.e. when using FROM)

https://snyk.io/blog/cve-2024-23651-docker-buildkit-mount-cache-race/
https://www.openwall.com/lists/oss-security/2019/05/28/1
https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv
https://github.com/moby/buildkit/pull/4604

Note You need to log in before you can comment on or make changes to this bug.

adudiak
bdettelb
davidn
dfreiber
dhanak
drow
dsimansk
epacific
hkataria
jburrell
jcammara
jhardy
jneedle
jobarker
jwendell
kingland
kshier
kverlaen
luizcosta
mabashia
matzew
mnovotny
nweather
owatkins
pierdipi
rcernich
rguimara
rhuss
sdawley
simaishi
smcdonal
stcannon
teagle
tkral
twalsh
vkumar
yguenane
zmiele
zsadeh