CVE-2024-23652
Published: 31 January 2024
Summary
CVE-2024-23652 is a critical-severity Path Traversal (CWE-22) vulnerability in Mobyproject Buildkit. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
BuildKit, the toolkit used by Docker and other container build systems to convert source code into build artifacts, contains a path traversal vulnerability (CWE-22) that affects versions prior to 0.12.5. A malicious frontend or Dockerfile that leverages the RUN --mount option can abuse the mechanism responsible for cleaning up empty files created at mount points, causing arbitrary files on the host system outside the build container to be deleted.
An attacker who can supply or influence a BuildKit frontend or an untrusted Dockerfile is able to trigger this behavior over the network with no authentication or user interaction required. Successful exploitation results in high-impact integrity and availability effects on the host, as indicated by the CVSS 10.0 score reflecting a scope change beyond the container boundary.
The official fix is included in BuildKit v0.12.5, and the project advisory recommends avoiding BuildKit frontends from untrusted sources or building Dockerfiles that contain the RUN --mount feature until the update can be applied. The associated EPSS score has remained flat at 0.0570 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0254
Vulnerability details
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into…
more
removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.