Home > Vulnerability Database > CVE-2024-23651

Mend.io Vulnerability Database

CVE-2024-23651

Good to know:

Date: January 31, 2024

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.

Language: Go

Severity Score

8.7

Related Resources (6)

Url: https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv

Url: https://github.com/moby/buildkit

Url: https://github.com/moby/buildkit/releases/tag/v0.12.5

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-23651

Url: https://github.com/moby/buildkit/pull/4604

Url: https://www.mend.io/vulnerability-database/CVE-2024-23651

Severity Score

8.7

Weakness Type (CWE)

Race Conditions

CWE-362

Top Fix

Upgrade Version

Upgrade to version v0.12.5

Learn More

CVSS v3.1

Base Score:	8.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-23651

Good to know:

Date: January 31, 2024

Language: Go

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?