What is CVE-2024-23652?

CVE-2024-23652 is a critical-severity vulnerability in Moby Buildkit, classified under Path Traversal. CVSS score: 10.0/10. Published 2024-01-31.

How severe is CVE-2024-23652?

Critical severity. CVSS v3 base score is 10.0 out of 10.

Is CVE-2024-23652 known to be exploited?

9 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Path Traversal in Moby Buildkit

CVE-2024-23652

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created f…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.057 (90.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H.

Affected products

Moby Buildkit — versions < 0.12.5

Weakness classification (CWE)

CWE-22 — Path Traversal

Public proof-of-concept exploits

References

https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8 (x_refsource_CONFIRM)
https://github.com/moby/buildkit/pull/4603 (x_refsource_MISC)
https://github.com/moby/buildkit/releases/tag/v0.12.5 (x_refsource_MISC)

Frequently asked questions

What is CVE-2024-23652?: CVE-2024-23652 is a critical-severity vulnerability in Moby Buildkit, classified under Path Traversal. CVSS score: 10.0/10. Published 2024-01-31.
How severe is CVE-2024-23652?: Critical severity. CVSS v3 base score is 10.0 out of 10.
Is CVE-2024-23652 known to be exploited?: 9 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.