Sign In

CVE-2024-23651

SOURCE - github

Summary

Impact

Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container.

Patches

The issue has been fixed in v0.12.5

Workarounds

Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.

References

https://www.openwall.com/lists/oss-security/2019/05/28/1

EPSS Score: 0.00067 (0.299)

Common Weakness Enumeration (CWE)

SOURCE - nist

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

SOURCE - github

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

SOURCE - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

SOURCE - redhat

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Sources (21)

Impacted images

NIST

CREATED

UPDATED

SOURCE IDCVE-2024-23651
EXPLOITABILITY SCORE

2.2

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-362

CVSS SCORE

7.4high

GitHub

CREATED

UPDATED

SOURCE IDGHSA-m3r6-h7wv-7xxv
EXPLOITABILITY SCORE

2.2

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-362

CVSS SCORE

8.7high

Alpine

CREATED

UPDATED

SOURCE IDCVE-2024-23651
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Ubuntu

CREATED

UPDATED

SOURCE IDCVE-2024-23651
EXPLOITABILITY SCORE

2.2

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

7.4medium

GoLang

CREATED

UPDATED

SOURCE IDGO-2024-2493
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

GitLab

CREATED

UPDATED

SOURCE ID

CVE-2024-23651

EXPLOITABILITY SCORE

2.2

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1035CWE-362CWE-937

CVSS SCORE

8.7high

Amazon

CREATED

UPDATED

SOURCE IDALAS2023-2024-542
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Red Hat

CREATED

UPDATED

SOURCE IDCVE-2024-23651
EXPLOITABILITY SCORE

1.1

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-362

CVSS SCORE

7.5high

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-2pf6-mcw3-86w8

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-35v4-4g89-c7vg

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-5r59-v4x3-mcq8

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-7x8v-47c7-r9j5

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-8v8h-vjwp-w2q2

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-9qpq-5hvj-539p

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-cfmq-73h4-8888

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-hpfp-4ff7-27r4

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-m4g3-g2h3-p3rq

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-v5x3-4vp7-q26m

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-rgpg-f9fq-2pv5

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-wmg5-h8w8-cvgm

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-xv2h-pv92-v4rc

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE