9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-23653

GHSA ID

GHSA-wr6v-9f75-vh2g

EPSS Score

0.92107%

CWE

CWE-863

Published

1/31/2024

Updated

5/20/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-23653

CVE-2024-23653: Buildkit's interactive containers API does not validate entitlements check

Impact

In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special security.insecure entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request.

Patches

The issue has been fixed in v0.12.5 .

Workarounds

Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the #syntax line on your Dockerfile, or with --frontend flag when using buildctl build command.

References

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-23653

GHSA ID

GHSA-wr6v-9f75-vh2g

EPSS Score

0.92107%

CWE

CWE-863

Published

1/31/2024

Updated

5/20/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/moby/buildkit	go	< 0.12.5	0.12.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from interactive container APIs accessing worker resources directly rather than through the build job context. Key functions like NewContainer and LLBBridgeToGatewayClient were modified in the patch to stop using worker.Worker.Executor() directly and instead use an executor passed through the build context. This indicates these functions previously lacked entitlement validation by accessing worker resources directly. The gateway frontend initialization was similarly modified to use worker info rather than direct worker access, showing it was part of the insecure path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t In ***ition to runnin* *ont*in*rs *s *uil* st*ps, *uil*Kit *lso provi**s *PIs *or runnin* int*r**tiv* *ont*in*rs **s** on *uilt im***s. It w*s possi*l* to us* t**s* *PIs to *sk *uil*Kit to run * *ont*in*r wit* *l*v*t** privil***s. Norm*lly

Reasoning

T** vuln*r**ility st*mm** *rom int*r**tiv* *ont*in*r *PIs ****ssin* work*r r*sour**s *ir**tly r*t**r t**n t*rou** t** *uil* jo* *ont*xt. K*y *un*tions lik* `N*w*ont*in*r` *n* `LL**ri***To**t*w*y*li*nt` w*r* mo*i*i** in t** p*t** to stop usin* `work*r

9.8

Basic Information

Concerned about an active attack path?

CVE-2024-23653: Buildkit's interactive containers API does not validate entitlements check

Impact

Patches

Workarounds

References

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI