Cyber Resilience

CVE-2024-23652

Critical

Published: 31 January 2024

Published
31 January 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
EPSS Score 0.0570 90.6th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-23652 is a critical-severity Path Traversal (CWE-22) vulnerability in Mobyproject Buildkit. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

BuildKit, the toolkit used by Docker and other container build systems to convert source code into build artifacts, contains a path traversal vulnerability (CWE-22) that affects versions prior to 0.12.5. A malicious frontend or Dockerfile that leverages the RUN --mount option can abuse the mechanism responsible for cleaning up empty files created at mount points, causing arbitrary files on the host system outside the build container to be deleted.

An attacker who can supply or influence a BuildKit frontend or an untrusted Dockerfile is able to trigger this behavior over the network with no authentication or user interaction required. Successful exploitation results in high-impact integrity and availability effects on the host, as indicated by the CVSS 10.0 score reflecting a scope change beyond the container boundary.

The official fix is included in BuildKit v0.12.5, and the project advisory recommends avoiding BuildKit frontends from untrusted sources or building Dockerfiles that contain the RUN --mount feature until the update can be applied. The associated EPSS score has remained flat at 0.0570 with no material increase since disclosure.

EU & UK References

Vulnerability details

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into…

more

removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mobyproject
buildkit
≤ 0.12.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References