blob: 88c4ffdee444e71b17bc1aa9a18da43e43691776 [file] [log] [blame]
id: GO-2024-2493
modules:
- module: github.com/moby/buildkit
versions:
- fixed: 0.12.5
vulnerable_at: 0.12.4
packages:
- package: github.com/moby/buildkit/executor/oci
symbols:
- submounts.cleanup
- submounts.subMount
- sub
- package: github.com/moby/buildkit/snapshot
symbols:
- LocalMounterWithMounts
- localMounter.Mount
- LocalMounter
fix_links:
- https://github.com/moby/buildkit/commit/f781267af1acb688e94740e1fdc22c1bf587d7fd
summary: Host system file access in github.com/moby/buildkit
description: |-
Two malicious build steps running in parallel sharing the same cache mounts with
subpaths could cause a race condition that can lead to files from the host
system being accessible to the build container.
cves:
- CVE-2024-23651
ghsas:
- GHSA-m3r6-h7wv-7xxv
credits:
- '@rmcnamara-snyk'
references:
- fix: https://github.com/moby/buildkit/pull/4604
review_status: REVIEWED