Published: 31/01/2024 Updated: 09/02/2024

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 0

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources.

Vulnerable Product	Search on Vulmon	Subscribe to Product
mobyproject buildkit

A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of ...

DescriptionA vulnerability was found in the Moby Builder Toolkit, specifically in the Interactive Containers API, where entitlement checks are not adequately validated, caused by a missing privilege check in a GRPC endpoint when called using a custom syntax format This flaw allows the currently running privileged container to leverage its e ...

PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653) ...

Leaky Vessels Dynamic Detector

Leaky Vessels Dynamic Detector In this repository you'll find a reference implementation for an eBPF-based runtime detection for the runc and Docker vulnerabilities CVE-2024-21626, CVE-2024-23651, CVE-2024-23652 and CVE-2024-23653 It hooks into Linux syscalls (eg, chdir, mount) and function invocations of the Docker daemon and associates them with Docker builds and con

Static detection tool for runc and Docker "Leaky Vessels" vulnerabilities

Leaky Vessels Static Detector A static analysis based exploit detector for runc and Docker vulnerabilities Overview runc processcwd & Leaked fds Container Breakout [CVE-2024-21626] CVE-2024-21626 is a vulnerability in the runc container runtime allowing an attacker to break out of the container isolation and achieve full root RCE via a crafted image that exploits an

Leaky Vessels Dynamic Detector In this repository you'll find a reference implementation for an eBPF-based runtime detection for the runc and Docker vulnerabilities CVE-2024-21626, CVE-2024-23651, CVE-2024-23652 and CVE-2024-23653 It hooks into Linux syscalls (eg, chdir, mount) and function invocations of the Docker daemon and associates them with Docker builds and con

CWE-863 https://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g https://github.com/moby/buildkit/pull/4602 https://github.com/moby/buildkit/releases/tag/v0.12.5 https://nvd.nist.gov https://github.com/snyk/leaky-vessels-dynamic-detector https://alas.aws.amazon.com/AL2/ALASDOCKER-2024-039.html

CVE-2024-23653

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect