CVE-2024-23653
published 2024-01-31CVE-2024-23653: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as…
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.98%
85.6th percentile
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | moby_buildkit | >= 0 < 0.12.5 | 0.12.5 |
| moby | buildkit | < 0.12.5 | 0.12.5 |
| mobyproject | buildkit | < 0.12.5 | 0.12.5 |
| msrc | azl3_docker-buildx_0.12.1-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_docker-buildx_0.14.0-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_docker-compose_2.24.6-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_docker-compose_2.27.0-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_moby-engine_20.10.25-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_moby-engine_25.0.3-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_moby-buildx_0.7.1-18_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_moby-buildx_0.7.1-24_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_moby-cli_20.10.27-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_moby-cli_20.10.27-5_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_moby-compose_2.17.2-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_moby-compose_2.17.3-10_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_moby-engine_20.10.27-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_moby-engine_24.0.9-16_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| paloalto | cortex_xsoar | — | — |
| paloalto | prisma_cloud | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2024-23653 is exploitable via a missing privilege check in a GRPC endpoint when called using a custom syntax format — monitor for unexpected GRPC calls to BuildKit's interactive containers API that request elevated/insecure entitlements without the security.insecure entitlement being explicitly enabled. ↗
- →Exploitation requires a malicious Dockerfile or upstream image (e.g., a malicious FROM image) — alert on container image builds that use untrusted or externally sourced BuildKit frontends or base images. ↗
- →The vulnerability affects Docker BuildKit <= v0.12.4 — detect vulnerable versions of buildkitd/moby-buildkit in the environment and flag any instance not yet patched to v0.12.5. ↗
- →Privilege escalation via BuildKit interactive containers API: watch for containers spawned during a build step that acquire full Linux capabilities or host root execution, which is the post-exploitation indicator for this CVE. ↗
- →CVE-2024-23653 arises from inadequate privilege checks in BuildKit's GRPC interface — monitor buildkitd GRPC traffic for requests invoking interactive container APIs with SecurityMode set to privileged/insecure without a corresponding entitlement grant. ↗
- ·Exploitation requires the attacker to trick a user or process into processing a malicious BuildKit frontend — the vulnerability is NOT exploitable by arbitrary code execution in a running container alone; the image, Dockerfile, or BuildKit frontend must be specially crafted. ↗
- ·The security.insecure entitlement must NOT be enabled in buildkitd configuration as a hardening measure; if it is already enabled by policy, the normal guard against this attack is absent. ↗
- ·Risk is primarily to container build systems, not arbitrary running containers — prioritize patching build pipeline runners and CI/CD hosts over general-purpose container hosts. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Privilege escalation in github.com/moby/buildkit
osv·2024-02-07
CVE-2024-23653 Privilege escalation in github.com/moby/buildkit
Privilege escalation in github.com/moby/buildkit
BuildKit provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special security.insecure entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request.
GHSA
Buildkit's interactive containers API does not validate entitlements check
ghsa·2024-01-31
CVE-2024-23653 [CRITICAL] CWE-863 Buildkit's interactive containers API does not validate entitlements check
Buildkit's interactive containers API does not validate entitlements check
### Impact
In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request.
### Patches
The issue has been fixed in v0.12.5 .
### Workarounds
Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the `#syntax` line on your Dockerfile, or with `--frontend` flag when using `buildctl build` command.
### References
OSV
CVE-2024-23653: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner
osv·2024-01-31·CVSS 9.8
CVE-2024-23653 [CRITICAL] CVE-2024-23653: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources.
OSV
Buildkit's interactive containers API does not validate entitlements check
osv·2024-01-31
CVE-2024-23653 [CRITICAL] Buildkit's interactive containers API does not validate entitlements check
Buildkit's interactive containers API does not validate entitlements check
### Impact
In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request.
### Patches
The issue has been fixed in v0.12.5 .
### Workarounds
Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the `#syntax` line on your Dockerfile, or with `--frontend` flag when using `buildctl build` command.
### References
Palo Alto
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
vendor_paloalto·2024-02-22·CVSS 8.6
CVE-2024-21626 [HIGH] CWE-22 PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products. While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful
CVEs: CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653
Affected products: Cortex XSOAR, Prisma Cloud
Palo Alto
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
vendor_paloalto·2024-02-22·CVSS 8.6
CVE-2024-23652 [HIGH] CWE-22 PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products. While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful
CVEs: CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653
Affected products: Cortex XSOAR, Prisma Cloud
Palo Alto
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
vendor_paloalto·2024-02-22·CVSS 8.6
CVE-2024-23653 [HIGH] CWE-22 PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products. While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful
CVEs: CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653
Affected products: Cortex XSOAR, Prisma Cloud
Palo Alto
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
vendor_paloalto·2024-02-22·CVSS 8.6
CVE-2024-23651 [HIGH] CWE-22 PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products. While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful
CVEs: CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653
Affected products: Cortex XSOAR, Prisma Cloud
Red Hat
moby/buildkit: Buildkit's interactive containers API does not validate entitlements check
vendor_redhat·2024-01-31·CVSS 9.8
CVE-2024-23653 [CRITICAL] CWE-863 moby/buildkit: Buildkit's interactive containers API does not validate entitlements check
moby/buildkit: Buildkit's interactive containers API does not validate entitlements check
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources.
A vulnerability was found in the Moby Builder Toolkit, specifically in th
Microsoft
BuildKit interactive containers API does not validate entitlements check
vendor_msrc·2024-01-09·CVSS 9.8
CVE-2024-23653 [CRITICAL] CWE-863 BuildKit interactive containers API does not validate entitlements check
BuildKit interactive containers API does not validate entitlements check
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
R
No detection rules found.
No public exploits indexed.
Wiz
Crying Out Cloud - March 2024 Newsletter | Wiz
blogs_wiz·2024-03-01·CVSS 8.6
CVE-2024-21626 [HIGH] Crying Out Cloud - March 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – crucial vulnerabilities, exclusive data, and noteworthy incidents. Stay informed and stay secure. Let's delve in.
Here are our cloud security highlights!
## 🐞 High Profile Vulnerabilities
Leaky Vessels: Docker and runc Container Escape Vulnerabilities
Several vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, exploiting these vulnerabilities could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating further attacks, particularly with superuser privileges.
According to Wiz data, 18% percent of cloud environments have resources
Wiz
Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog
blogs_wiz·2024-02-05·CVSS 8.6
CVE-2024-21626 [HIGH] Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog
New vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626) and in BuildKit (CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, meaning that exploiting them could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating lateral movement in the larger Kubernetes or cloud environment.
The most significant flaw is CVE-2024-21626, enabling an unauthorized party to obtain filesystem access to the host OS, thereby gaining privileged control over the host. This flaw poses a significant threat to orchestration-based setups utilizing runC, such as Kubernetes. By exploiting this vulnerability, an attacker could execute a breakout onto the underlying Kubernetes node when d
Wiz
Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog
blogs_wiz·2024-02-05·CVSS 8.6
CVE-2024-21626 [HIGH] Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog
New vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626) and in BuildKit (CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, meaning that exploiting them could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating lateral movement in the larger Kubernetes or cloud environment.
The most significant flaw is CVE-2024-21626, enabling an unauthorized party to obtain filesystem access to the host OS, thereby gaining privileged control over the host. This flaw poses a significant threat to orchestration-based setups utilizing runC, such as Kubernetes. By exploiting this vulnerability, an attacker could execute a breakout onto the underlying Kubernetes node when d
Bleepingcomputer
Leaky Vessels flaws allow hackers to escape Docker, runc containers
blogs_bleepingcomputer·2024-02-04·CVSS 8.6
[HIGH] Leaky Vessels flaws allow hackers to escape Docker, runc containers
## Leaky Vessels flaws allow hackers to escape Docker, runc containers
## Bill Toulas
## Escaping containers
Containers are applications packaged into a file that contains all the runtime dependencies, executables, and code required to run an application. These containers are executed by platforms like Docker and Kubernetes that run the application in a virtualized environment isolated from the operating system.
Container escape occurs when an attacker or a malicious application breaks out of the isolated container environment and gains unauthorized access to the host system or other containers.
Snyk team has found four vulnerabilities collectively called "Leaky Vessels" that impact the runc and Buildkit container infrastructure and build tools, potentially allowing attackers to perfo
Bugzilla
CVE-2024-23653 moby/buildkit: Buildkit's interactive containers API does not validate entitlements check
bugzilla·2024-02-01·CVSS 9.8
CVE-2024-23653 [CRITICAL] CVE-2024-23653 moby/buildkit: Buildkit's interactive containers API does not validate entitlements check
CVE-2024-23653 moby/buildkit: Buildkit's interactive containers API does not validate entitlements check
Docker Buildkit <= v0.12.4, as used by the Docker engine. The exploitation of this issue can result in container escape to the underlying host OS when building an image using a malicious Dockerfile or upstream image (i.e, when using FROM).
https://snyk.io/blog/cve-2024-23653-buildkit-grpc-securitymode-privilege-check/
https://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g
https://github.com/moby/buildkit/pull/4602
https://github.com/moby/buildkit/pull/4602https://github.com/moby/buildkit/releases/tag/v0.12.5https://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2ghttps://github.com/moby/buildkit/pull/4602https://github.com/moby/buildkit/releases/tag/v0.12.5https://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g
2024-01-31
Published