cbcvebase.
CVE-2024-23651
published 2024-01-31

CVE-2024-23651: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in…

PriorityP344high7.4CVSS 3.1
AVNACHPRNUINSUCHIHAN
EPSS
0.79%
51.7th percentile
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.

Affected

13 ranges
VendorProductVersion rangeFixed in
github.commoby_buildkit>= 0 < 0.12.50.12.5
mobybuildkit< 0.12.50.12.5
mobyprojectbuildkit< 0.12.50.12.5
msrcazl3_moby-engine_20.10.25-3_on_azure_linux_3.0
msrcazl3_moby-engine_25.0.3-1_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_moby-engine_20.10.27-4_on_cbl_mariner_2.0
msrccbl2_moby-engine_24.0.9-16_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
paloaltocortex_xsoar
paloaltoprisma_cloud

CVSS provenance

nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
osv8.7HIGH
vendor_redhat8.7HIGH
vendor_ubuntu7.5HIGH
vendor_msrc7.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.