Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2024-23651

Published: 31/01/2024 Updated: 09/02/2024
CVSS v3 Base Score: 7.4 | Impact Score: 5.2 | Exploitability Score: 2.2
VMScore: 0
Subscribe to Mobyproject

Vulnerability Summary

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

mobyproject buildkit

Vendor Advisories

Red Hat:
Description<!---->A race condition issue was found in the Moby Builder Toolkit, stemming from a time-of-check/time-of-use (TOCTOU) vulnerability during cache volume mounting at container build time Concurrent execution of two malicious build steps, sharing the same cache mounts with subpaths, may result in files from the host system being accessib ...
Palo Alto Networks Security Advisory: PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653) ...

Github Repositories

https://github.com/snyk/leaky-vessels-dynamic-detector

Leaky Vessels Dynamic Detector

Leaky Vessels Dynamic Detector In this repository you'll find a reference implementation for an eBPF-based runtime detection for the runc and Docker vulnerabilities CVE-2024-21626, CVE-2024-23651, CVE-2024-23652 and CVE-2024-23653 It hooks into Linux syscalls (eg, chdir, mount) and function invocations of the Docker daemon and associates them with Docker builds and con

https://github.com/snyk/leaky-vessels-static-detector

Static detection tool for runc and Docker "Leaky Vessels" vulnerabilities

Leaky Vessels Static Detector A static analysis based exploit detector for runc and Docker vulnerabilities Overview runc processcwd &amp; Leaked fds Container Breakout [CVE-2024-21626] CVE-2024-21626 is a vulnerability in the runc container runtime allowing an attacker to break out of the container isolation and achieve full root RCE via a crafted image that exploits an

https://github.com/mightysai1997/leaky-vessels-dynamic-detector

Leaky Vessels Dynamic Detector In this repository you'll find a reference implementation for an eBPF-based runtime detection for the runc and Docker vulnerabilities CVE-2024-21626, CVE-2024-23651, CVE-2024-23652 and CVE-2024-23653 It hooks into Linux syscalls (eg, chdir, mount) and function invocations of the Docker daemon and associates them with Docker builds and con

References

CWE-362https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxvhttps://github.com/moby/buildkit/pull/4604https://github.com/moby/buildkit/releases/tag/v0.12.5https://nvd.nist.govhttps://github.com/snyk/leaky-vessels-dynamic-detectorhttps://security.paloaltonetworks.com/PAN-SA-2024-0002https://access.redhat.com/security/cve/cve-2024-23651
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4654CVE-2023-49606encryptionNULL pointer dereferenceCVE-2024-4439CVE-2024-4649race conditionCVE-2024-27202CVE-2024-34566
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook