Sign In

CVE-2024-23652

SOURCE - github

Summary

Impact

A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system.

Patches

The issue has been fixed in v0.12.5

Workarounds

Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.

References

EPSS Score: 0.00054 (0.223)

Common Weakness Enumeration (CWE)

SOURCE - nist

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

SOURCE - github

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

SOURCE - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

SOURCE - redhat

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Sources (21)

Impacted images

NIST

CREATED

UPDATED

SOURCE IDCVE-2024-23652
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-22

CVSS SCORE

9.1critical

GitHub

CREATED

UPDATED

SOURCE IDGHSA-4v98-7qmw-rqr8
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-22

CVSS SCORE

10critical

Alpine

CREATED

UPDATED

SOURCE IDCVE-2024-23652
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Ubuntu

CREATED

UPDATED

SOURCE IDCVE-2024-23652
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

9.1medium

GoLang

CREATED

UPDATED

SOURCE IDGO-2024-2494
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

GitLab

CREATED

UPDATED

SOURCE ID

CVE-2024-23652

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1035CWE-22CWE-937

CVSS SCORE

10critical

Amazon

CREATED

UPDATED

SOURCE IDALAS2023-2024-542
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Red Hat

CREATED

UPDATED

SOURCE IDCVE-2024-23652
EXPLOITABILITY SCORE

1.0

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-22

CVSS SCORE

7.4high

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-2cv7-75q6-cvrq

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-4v29-m22x-5m58

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-7vxc-hp2w-725j

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-7wr2-gxv6-5g96

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-9rhv-6x5x-p3wh

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-cf38-mj9p-m2h7

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-hqhv-f77r-cq7c

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-jh3p-vg64-hm2m

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-m737-5xv8-m883

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-mp67-g995-65f4

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-rpw2-9v92-4g7f

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-wgv3-9hrx-gj3g

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-x5pw-xwxw-p7jx

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE