CVE-2024-23652: 
Docker vulnerability analysis and mitigation

A vulnerability (CVE-2024-23652) was discovered in Docker Buildkit versions <=v0.12.4. The vulnerability occurs when BuildKit attempts to clean up temporarily added directories after their use during container operations. This security issue was discovered by Snyk and affects the Moby Builder Toolkit (Snyk Blog, GitHub Advisory).

The vulnerability manifests when using RUN --mount inside a Dockerfile. If the target directory for the mount is not present in the container filesystem, it will be created for the mount point and removed after use. However, if the parent of this target directory is replaced with a symbolic link during the container lifetime, the cleanup operations during container teardown will traverse this symbolic link. This can lead to the deletion of arbitrary files in the host filesystem, as Buildkit typically runs with root privileges (Snyk Blog).

When successfully exploited, this vulnerability allows an arbitrary Dockerfile-defined target file inside the host filesystem to be deleted. Since Buildkit generally operates with root privileges, this can result in the deletion of any file in the host filesystem (Snyk Blog).

The vulnerability has been patched in Buildkit version v0.12.5. Users are advised to update to this version or later. As a workaround, users should avoid using BuildKit frontend from untrusted sources or building untrusted Dockerfiles containing RUN --mount features. Technologies that bundle Buildkit, such as Docker Engine and Docker Desktop, should also be updated to their respective patched versions (Snyk Blog, GitHub Release).