BuildKit possible race condition with accessing subpaths from cache mounts
CVE-2024-23651
Summary
BuildKit, a toolkit designed for efficiently converting source code into build artifacts, is susceptible to a race condition when two malicious build steps are executed in parallel while sharing the same cache mounts with subpaths. This vulnerability potentially allows unauthorized access to files on the host system from within the build container. The vulnerability has been resolved in version 0.12.5 of BuildKit. To mitigate risks, users are advised to avoid utilizing untrusted sources for BuildKit frontends and refrain from constructing untrusted Dockerfiles that implement cache mounts using the --mount=type=cache,source=... options.
Affected Version(s)
buildkit < 0.12.5
News Articles
wiz.ioLeaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog
'Leaky Vessels' is a set of container escape vulnerabilities affecting runC and BuildKit. Learn how they work and what security teams can do to mitigate them.
Palo Alto NetworksContainer Escape: New Vulnerabilities Affecting Docker and RunC - Palo Alto Networks Blog
Mitigate critical Leaky Vessels vulnerabilities in Docker and RunC with in-depth analysis on CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653.
Leaky Vessels Vulnerability Sinks Container Security
Attackers could use a security hole in the open source runc container runtime engine — used by Docker and others — to gain control of the host machine.
References
CVSS V3.1
Timeline
- 📰
First article discovered by Snyk
Vulnerability published
Vulnerability Reserved