CVE-2024-23652
Host system modification in github.com/moby/buildkit
10.0
CRITICAL
CVSS 3.1
EPSS 5.7%
Description
A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system.
How to fix CVE-2024-23652
To remediate CVE-2024-23652, upgrade the affected package to a fixed version below.
- Go/github.com/moby/buildkit—upgrade to 0.12.5 or later
- —upgrade to 0.12.5 or later
Is CVE-2024-23652 being exploited?
Moderate — EPSS is 5.7%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (2)
- from 0, < 0.12.5
- from 0, < 0.12.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H |