BuildKit Security Update Advisory (CVE-2024-23651)

Feb 02 2024

Overview

An update has been made available to fix vulnerabilities in BuildKit. Users of affected versions are advised to update to the latest version.

Affected Products

All versions of BuildKit 0.12.4 and earlier

Resolved Vulnerabilities

A race condition vulnerability due to a time-of-check/time-of-use (TOCTOU) issue while mounting cache volumes during container builds in Moby BuildKit Toolkit.
vulnerability where two malicious build steps running in parallel by sharing the same cache mount with a subpath could allow files on the host system to access the build container, allowing container escape to the host OS.

Vulnerability Patches

Vulnerability patches were made available in the February 2 update. Please follow the instructions on the reference site to update to the latest vulnerability patch version.

BuildKit version 0.12.5

Referenced Sites

[1] CVE-2024-23651 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-23651
[2] exec: add extra validation for submount sources
https://github.com/moby/buildkit/pull/4604
[3] v0.12.5
https://github.com/moby/buildkit/releases/tag/v0.12.5
[4] Possible race condition with accessing subpaths from cache mounts
https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv

BuildKit Security Update Advisory (CVE-2024-23651)

Overview

Affected Products

Resolved Vulnerabilities

Vulnerability Patches

Referenced Sites

GNU glibc Library Security Update Advisory (CVE-2023-6246)

Apache Pulsar Security Update Advisory (CVE-2023-51437)

Overview

Affected Products

Resolved Vulnerabilities

Vulnerability Patches

Referenced Sites

Tags:

GNU glibc Library Security Update Advisory (CVE-2023-6246)

Apache Pulsar Security Update Advisory (CVE-2023-51437)