cbcvebase.
CVE-2024-23652
published 2024-01-31

CVE-2024-23652: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or…

PriorityP353critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
2.04%
78.7th percentile
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.

Affected

13 ranges
VendorProductVersion rangeFixed in
github.commoby_buildkit>= 0 < 0.12.50.12.5
mobybuildkit< 0.12.50.12.5
mobyprojectbuildkit< 0.12.50.12.5
msrcazl3_moby-engine_20.10.25-3_on_azure_linux_3.0
msrcazl3_moby-engine_25.0.3-1_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_moby-engine_20.10.27-4_on_cbl_mariner_2.0
msrccbl2_moby-engine_24.0.9-16_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
paloaltocortex_xsoar
paloaltoprisma_cloud

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
osv9.1CRITICAL
vendor_redhat10.0CRITICAL
vendor_msrc9.1CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.