[GO-2024-2497] Privilege escalation in github.com/moby/buildkit
Severity
Critical
Affected Packages
5
Fixed Packages
5
CVEs
1
BuildKit provides APIs for running interactive containers based on built images.
It was possible to use these APIs to ask BuildKit to run a container with
elevated privileges. Normally, running such containers is only allowed if
special security.insecure entitlement is enabled both by buildkitd configuration
and allowed by the user initializing the build request.
Package | Affected Version |
---|---|
pkg:golang/github.com/moby/buildkit/solver/llbsolver | >= 0.12.4, < 0.12.5 |
pkg:golang/github.com/moby/buildkit/frontend/gateway/forwarder | >= 0.12.4, < 0.12.5 |
pkg:golang/github.com/moby/buildkit/frontend/gateway/container | >= 0.12.4, < 0.12.5 |
pkg:golang/github.com/moby/buildkit/frontend/gateway | >= 0.12.4, < 0.12.5 |
pkg:golang/github.com/moby/buildkit/cmd/buildkitd | >= 0.12.4, < 0.12.5 |
Package | Fixed Version |
---|---|
pkg:golang/github.com/moby/buildkit/solver/llbsolver | = 0.12.5 |
pkg:golang/github.com/moby/buildkit/frontend/gateway/forwarder | = 0.12.5 |
pkg:golang/github.com/moby/buildkit/frontend/gateway/container | = 0.12.5 |
pkg:golang/github.com/moby/buildkit/frontend/gateway | = 0.12.5 |
pkg:golang/github.com/moby/buildkit/cmd/buildkitd | = 0.12.5 |
- ID
- GO-2024-2497
- Severity
- critical
- Severity from
- CVE-2024-23653
- URL
- https://pkg.go.dev/vuln/GO-2024-2497
- Published
-
2024-02-06T22:17:51
(7 months ago) - Modified
-
2024-05-14T19:19:00
(4 months ago) - Other Advisories
Source | # ID | Name | URL |
---|---|---|---|
Security Advisory | https://github.com/advisories/GHSA-wr6v-9f75-vh2g |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Fixed | pkg:golang/github.com/moby/buildkit/solver/llbsolver | github.com/moby/buildkit/solver | llbsolver | = 0.12.5 | |||
Affected | pkg:golang/github.com/moby/buildkit/solver/llbsolver | github.com/moby/buildkit/solver | llbsolver | >= 0.12.4 < 0.12.5 | |||
Fixed | pkg:golang/github.com/moby/buildkit/frontend/gateway/forwarder | github.com/moby/buildkit/frontend/gateway | forwarder | = 0.12.5 | |||
Affected | pkg:golang/github.com/moby/buildkit/frontend/gateway/forwarder | github.com/moby/buildkit/frontend/gateway | forwarder | >= 0.12.4 < 0.12.5 | |||
Fixed | pkg:golang/github.com/moby/buildkit/frontend/gateway/container | github.com/moby/buildkit/frontend/gateway | container | = 0.12.5 | |||
Affected | pkg:golang/github.com/moby/buildkit/frontend/gateway/container | github.com/moby/buildkit/frontend/gateway | container | >= 0.12.4 < 0.12.5 | |||
Fixed | pkg:golang/github.com/moby/buildkit/frontend/gateway | github.com/moby/buildkit/frontend | gateway | = 0.12.5 | |||
Affected | pkg:golang/github.com/moby/buildkit/frontend/gateway | github.com/moby/buildkit/frontend | gateway | >= 0.12.4 < 0.12.5 | |||
Fixed | pkg:golang/github.com/moby/buildkit/cmd/buildkitd | github.com/moby/buildkit/cmd | buildkitd | = 0.12.5 | |||
Affected | pkg:golang/github.com/moby/buildkit/cmd/buildkitd | github.com/moby/buildkit/cmd | buildkitd | >= 0.12.4 < 0.12.5 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |