Vulnerability DatabaseCVE-2024-23651

CVE-2024-23651:
Docker vulnerability analysis and mitigation

Overview

CVE-2024-23651 is a high-severity vulnerability (CVSS score: 8.7) discovered in BuildKit, a toolkit for converting source code to build artifacts. The vulnerability affects all versions of BuildKit <=v0.12.4 and was disclosed in January 2024. The issue stems from a time-of-check/time-of-use (TOCTOU) race condition when mounting a cache volume at container build time (Snyk Blog, NVD).

Technical details

The vulnerability occurs due to a race condition in the RUN --mount=type=cache directive in a Dockerfile, which allows for mounting persistent directories during Docker image build. When specifying a source path inside the identified cache mount, the validation of this source path introduces a race condition. A concurrent build step with the target cache directory mounted can replace the source path with a symbolic link between the check and use, causing the mount syscall to incorrectly mount an arbitrary directory into the container filesystem (Snyk Blog).

Impact

If successfully exploited, this vulnerability allows an attacker to gain unauthorized access to the underlying host operating system from within the container. The executing process inside the container can observe that the intended cache filesystem mount path contains a bind mount of the host root filesystem. With default access privileges typically set to root user, attackers can escalate from disk access to achieve full host root command execution (Snyk Blog, Hacker News).

Mitigation and workarounds

The vulnerability has been patched in BuildKit version v0.12.5. Users should update to this version or later. For those unable to update immediately, workarounds include avoiding the use of BuildKit frontend from untrusted sources and not building untrusted Dockerfiles containing cache mounts with --mount=type=cache,source=... options (GitHub Advisory, BuildKit Release).

Community reactions

Major cloud providers including AWS, Google Cloud, and Ubuntu have released alerts urging customers to take appropriate action. Docker has acknowledged that the vulnerability can only be exploited if a user actively engages with malicious content by incorporating it into the build process or running a container from a rogue image (Hacker News).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer?

Request vulnerability assessment

7.4

Score

Published January 31, 2024

Severity HIGH

CNA Score 8.7

High-profile Vulnerability Yes

Affected Technologies

Docker
Datadog Agent

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 63.8

Exploitation Probability (EPSS) 0.5

Affected packages and libraries

podman
buildah

Sources

NVD
Alpine Security Tracker
- Alpine 3.17 Severity HIGHHas FixAdded at: Feb 11, 2024
- Alpine 3.18, 3.19, edge Severity HIGHHas FixAdded at: Feb 04, 2024
- Alpine 3.20 Severity HIGHHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity HIGHHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity HIGHHas FixAdded at: Jun 01, 2025
Bottlerocket GitHub Security Advisories
- Bottlerocket Severity HIGHHas FixAdded at: Feb 08, 2024
CBL-Mariner
- CBL-Mariner 2.0 Severity HIGHHas FixAdded at: Feb 18, 2024
- CBL-Mariner 3.0 Severity HIGHHas FixAdded at: May 04, 2025
Chainguard
- Chainguard Has FixAdded at: Feb 01, 2024
Gentoo Advisory Database
- Gentoo Severity LOWHas FixAdded at: Jul 07, 2024
GitHub Advisory Database
- GoLang Severity HIGHHas FixAdded at: Feb 01, 2024
Homebrew
- Homebrew Severity HIGHHas FixAdded at: Feb 12, 2024
Nix
- Nix Severity HIGHHas FixAdded at: Feb 11, 2024
Ubuntu Security Tracker
- Ubuntu 18.04, 20.04, 22.04 Severity MEDIUMHas FixAdded at: Mar 05, 2024
- Ubuntu 24.04 Severity MEDIUMHas FixAdded at: May 06, 2024
- Ubuntu 24.10 Severity MEDIUMNo FixAdded at: Dec 10, 2024
- Ubuntu 25.04 Severity MEDIUMNo FixAdded at: May 08, 2025
Wolfi
- Wolfi Has FixAdded at: Feb 01, 2024