SNYK-GOLANG-GITHUBCOMMOBYBUILDKITEXECUTOR-6209341
## Overview Affected versions of this package are vulnerable to Improper Link Resolution Before File Access (Leaky Vessels) allowing arbitrary file deletion on the host system. A malicious BuildKit frontend or Dockerfile using `RUN --mount` could trick the feature that removes empty files created for the mountpoints into removing arbitrary files in the host filesystem. ## Workaround Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing the `RUN --mount` feature. *This vulnerability was discovered and responsibly disclosed as part of the [Leaky Vessels](https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/) project.* ## Remediation Upgrade `github.com/moby/buildkit/executor` to version 0.12.5 or higher. ## References - [GitHub Commit](https://github.com/moby/buildkit/commit/00fe637d43aba66f0937f5bdf4b9fc96991794fd) - [Snyk Blog Post](https://snyk.io/blog/cve-2024-23652-buildkit-build-time-container-teardown-arbitrary-delete/)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Dec 11, 2023 CVE Updated
- Jan 31, 2024 CVE Published
References
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMOBYBUILDKITEXECUTOR-6209341 advisory
- https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/ technical
- https://github.com/moby/buildkit/commit/00fe637d43aba66f0937f5bdf4b9fc96991794fd patch
- https://snyk.io/blog/cve-2024-23652-buildkit-build-time-container-teardown-arbitrary-delete/ technical