BuildKit interactive containers API does not validate entitlements check
CVE-2024-23653

9.8CRITICAL

Key Information:

Vendor
moby
Status
buildkit
Vendor
CVE Published:
31 January 2024

Summary

A privilege escalation vulnerability exists in BuildKit, a toolkit designed for converting source code into build artifacts effectively and predictably. The issue stems from the functionality that allows running interactive containers based on built images. It is possible for an attacker to exploit this feature to run containers with elevated privileges, provided specific conditions related to the security.insecure entitlement are met. Typically, this entitlement requires deliberate enabling through the buildkitd configuration and user consent. Users are advised to avoid utilizing BuildKit frontends from untrusted sources and to upgrade to version 0.12.5 or later to mitigate this risk.

Affected Version(s)

buildkit < 0.12.5

References

https://github.com/moby/buildkit/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/moby/buildkit/pull/4602
x_refsource_MISC
https://github.com/moby/buildkit/releases/tag/v0.12.5
x_refsource_MISC

EPSS Score

6% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-23653 : BuildKit interactive containers API does not validate entitlements check | SecurityVulnerability.io