What is CVE-2024-23651?

CVE-2024-23651 is a high-severity vulnerability in Moby Buildkit, classified under Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition). CVSS score: 8.7/10. Published 2024-01-31.

How severe is CVE-2024-23651?

High severity. CVSS v3 base score is 8.7 out of 10.

Is CVE-2024-23651 known to be exploited?

9 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Moby Buildkit

CVE-2024-23651

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition t…

Vulnerability class: Race Condition

EPSS: 0.005 (68.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.7 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N.

Affected products

Moby Buildkit — versions < 0.12.5

Weakness classification (CWE)

CWE-362 — Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)

Public proof-of-concept exploits

References

https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv (x_refsource_CONFIRM)
https://github.com/moby/buildkit/pull/4604 (x_refsource_MISC)
https://github.com/moby/buildkit/releases/tag/v0.12.5 (x_refsource_MISC)

Frequently asked questions

What is CVE-2024-23651?: CVE-2024-23651 is a high-severity vulnerability in Moby Buildkit, classified under Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition). CVSS score: 8.7/10. Published 2024-01-31.
How severe is CVE-2024-23651?: High severity. CVSS v3 base score is 8.7 out of 10.
Is CVE-2024-23651 known to be exploited?: 9 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.