PT-2024-1518 · Buildkit+2 · Buildkit+2
Rmcnamara-Snyk
·
Published
2024-01-31
·
Updated
2026-05-18
·
CVE-2024-23653
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
BuildKit versions prior to 0.12.5
Description
The issue is related to improper authorization in BuildKit, allowing a remote attacker to run containers with elevated privileges. BuildKit provides APIs for running interactive containers based on built images, and it was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special
security.insecure entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request.Recommendations
For versions prior to 0.12.5, update to version 0.12.5 or later to fix the issue.
As a temporary workaround, consider avoiding the use of BuildKit frontends from untrusted sources.
Restrict access to the
security.insecure entitlement to minimize the risk of exploitation.
Avoid using the APIs for running interactive containers based on built images until the issue is resolved.Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Astra Linux
Buildkit
Suse