BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.
History

Thu, 19 Dec 2024 02:30:00 +0000

Type Values Removed Values Added
Metrics threat_severity

Low

threat_severity

Important


Fri, 11 Oct 2024 02:45:00 +0000

Type Values Removed Values Added
Metrics threat_severity

Important

threat_severity

Low


Thu, 10 Oct 2024 02:45:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-31T21:57:42.774Z

Updated: 2024-08-01T23:06:25.358Z

Reserved: 2024-01-19T00:18:53.234Z

Link: CVE-2024-23652

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2024-01-31T22:15:54.377

Modified: 2024-11-21T08:58:05.700

Link: CVE-2024-23652

cve-icon Redhat

Severity : Important

Publid Date: 2024-01-31T00:00:00Z

Links: CVE-2024-23652 - Bugzilla