CVE-2024-23653 — Incorrect Authorization in Buildkit

CWE-863 — Incorrect Authorization CWE-22 — Path Traversal CWE-362 — Race Condition CWE-403 — File Descriptor Leak CWE-668 — Resource Exposure12 documents8 sources

Severity

9.8CRITICALNVD

EPSS

10.5%

top 6.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Moby Buildkit Github.com Moby Buildkit Mobyproject Buildkit +20 more

Timeline

PublishedJan 31

Latest updateMar 1

Description

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages23 packages

▶CVEListV5moby/buildkit< 0.12.5

▶NVDmobyproject/buildkit< 0.12.5

▶Gogithub.com/moby_buildkit< 0.12.5

▶msrcmsrc/cbl2_moby-buildx_0.7.1-18_on_cbl_mariner_2.0

▶msrcmsrc/cbl2_moby-buildx_0.7.1-24_on_cbl_mariner_2.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Privilege escalation in github.com/moby/buildkit↗2024-02-07

▶

GHSA

Buildkit's interactive containers API does not validate entitlements check↗2024-01-31

▶

OSV

CVE-2024-23653: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner↗2024-01-31

▶

OSV

Buildkit's interactive containers API does not validate entitlements check↗2024-01-31

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)↗2024-02-22

▶

Red Hat

moby/buildkit: Buildkit's interactive containers API does not validate entitlements check↗2024-01-31

▶

Microsoft

BuildKit interactive containers API does not validate entitlements check↗2024-01-09

▶

🕵️Threat Intelligence

Wiz

Crying Out Cloud - March 2024 Newsletter | Wiz↗2024-03-01

▶

Wiz

Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog↗2024-02-05

▶

Wiz

Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog↗2024-02-05

▶

Bleepingcomputer

Leaky Vessels flaws allow hackers to escape Docker, runc containers↗2024-02-04

▶