Vulnerability Report: GO-2024-2497
- CVE-2024-23653, GHSA-wr6v-9f75-vh2g
- Affects: github.com/moby/buildkit
- Published: Feb 07, 2024
- Modified: May 20, 2024
BuildKit provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special security.insecure entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request.
Affected Packages
-
PathGo VersionsSymbols
-
before v0.12.5
-
before v0.12.5
-
before v0.12.5
1 unexported affected symbols
- newController
-
before v0.12.5
-
before v0.12.5
Aliases
References
- https://github.com/moby/buildkit/pull/4602
- https://github.com/moby/buildkit/commit/92cc595cfb12891d4b3ae476e067c74250e4b71e
- https://github.com/moby/buildkit/commit/5026d95aa3336e97cfe46e3764f52d08bac7a10e
- https://github.com/moby/buildkit/releases/tag/v0.12.5
- https://vuln.go.dev/ID/GO-2024-2497.json
Credits
- @rmcnamara-snyk
Feedback
See anything missing or incorrect?
Suggest an edit to this report.