Mobyproject Buildkit
By the Year
In 2024 there have been 4 vulnerabilities in Mobyproject Buildkit with an average score of 7.9 out of ten. Last year Buildkit had 1 security vulnerability published. That is, 3 more vulnerabilities have already been reported in 2024 as compared to last year. However, the average CVE base score of the vulnerabilities in 2024 is greater by 1.40.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 4 | 7.90 |
| 2023 | 1 | 6.50 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Buildkit vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mobyproject Buildkit Security Vulnerabilities
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner
CVE-2024-23653
9.8 - Critical
- January 31, 2024
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources.
AuthZ
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner
CVE-2024-23652
9.1 - Critical
- January 31, 2024
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.
Directory traversal
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner
CVE-2024-23651
7.4 - High
- January 31, 2024
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.
Race Condition
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner
CVE-2024-23650
5.3 - Medium
- January 31, 2024
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.
Improper Check for Unusual or Exceptional Conditions
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner
CVE-2023-26054
6.5 - Medium
- March 06, 2023
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In affected versions when the user sends a build request that contains a Git URL that contains credentials and the build creates a provenance attestation describing that build, these credentials could be visible from the provenance attestation. Git URL can be passed in two ways: 1) Invoking build directly from a URL with credentials. 2) If the client sends additional version control system (VCS) info hint parameters on builds from a local source. Usually, that would mean reading the origin URL from `.git/config` file. When a build is performed under specific conditions where credentials were passed to BuildKit they may be visible to everyone who has access to provenance attestation. Provenance attestations and VCS info hints were added in version v0.11.0. Previous versions are not vulnerable. In v0.10, when building directly from Git URL, the same URL could be visible in `BuildInfo` structure that is a predecessor of Provenance attestations. Previous versions are not vulnerable. This bug has been fixed in v0.11.4. Users are advised to upgrade. Users unable to upgrade may disable VCS info hints by setting `BUILDX_GIT_INFO=0`. `buildctl` does not set VCS hints based on `.git` directory, and values would need to be passed manually with `--opt`.
Information Disclosure
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Mobyproject Buildkit or by Mobyproject? Click the Watch button to subscribe.
