1. Home
  2. Security Advisories
  3. Go
  4. GO-2024-2493

[GO-2024-2493] Host system file access in github.com/moby/buildkit

Severity High
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

Two malicious build steps running in parallel sharing the same cache mounts with
subpaths could cause a race condition that can lead to files from the host
system being accessible to the build container.

Package Affected Version
pkg:golang/github.com/moby/buildkit/snapshot >= 0.12.4, < 0.12.5
pkg:golang/github.com/moby/buildkit/executor/oci >= 0.12.4, < 0.12.5
Package Fixed Version
pkg:golang/github.com/moby/buildkit/snapshot = 0.12.5
pkg:golang/github.com/moby/buildkit/executor/oci = 0.12.5
ID
GO-2024-2493
Severity
high
Severity from
CVE-2024-23651
URL
https://pkg.go.dev/vuln/GO-2024-2493
Published
2024-02-09T21:56:10
(7 months ago)
Modified
2024-05-14T19:19:00
(4 months ago)
Other Advisories
Source # ID Name URL
Security Advisory https://github.com/advisories/GHSA-m3r6-h7wv-7xxv
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Fixed pkg:golang/github.com/moby/buildkit/snapshot github.com/moby/buildkit snapshot = 0.12.5
Affected pkg:golang/github.com/moby/buildkit/snapshot github.com/moby/buildkit snapshot >= 0.12.4 < 0.12.5
Fixed pkg:golang/github.com/moby/buildkit/executor/oci github.com/moby/buildkit/executor oci = 0.12.5
Affected pkg:golang/github.com/moby/buildkit/executor/oci github.com/moby/buildkit/executor oci >= 0.12.4 < 0.12.5
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date