VDB

SNYK-GOLANG-GITHUBCOMMOBYBUILDKITEXECUTOR-6209341

SNYK-GOLANG-GITHUBCOMMOBYBUILDKITEXECUTOR-6209341 PUBLISHED CVSS 6 MEDIUM

## Overview Affected versions of this package are vulnerable to Improper Link Resolution Before File Access (Leaky Vessels) allowing arbitrary file deletion on the host system. A malicious BuildKit frontend or Dockerfile using `RUN --mount` could trick the feature that removes empty files created for the mountpoints into removing arbitrary files in the host filesystem. ## Workaround Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing the `RUN --mount` feature. *This vulnerability was discovered and responsibly disclosed as part of the [Leaky Vessels](https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/) project.* ## Remediation Upgrade `github.com/moby/buildkit/executor` to version 0.12.5 or higher. ## References - [GitHub Commit](https://github.com/moby/buildkit/commit/00fe637d43aba66f0937f5bdf4b9fc96991794fd) - [Snyk Blog Post](https://snyk.io/blog/cve-2024-23652-buildkit-build-time-container-teardown-arbitrary-delete/)

Risk Scores

CVSS 3.1
6
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P

Affected Products

VendorProductVersions
0

Timeline

  • Dec 11, 2023 CVE Updated
  • Jan 31, 2024 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›