CVE-2024-23653: 
Docker vulnerability analysis and mitigation

CVE-2024-23653 is a vulnerability discovered in BuildKit versions up to v0.12.4, affecting the Interactive Containers API. The vulnerability allows attackers to run containers with elevated privileges, bypassing the normal security restrictions that require the security.insecure entitlement to be enabled in both buildkitd configuration and user build request (Snyk Blog, GitHub Advisory).

The vulnerability occurs in BuildKit's GRPC endpoint when called using a custom syntax format. The Container.Start endpoint does not validate the StartRequest.SecurityMode argument against BuildKit configuration expectations. This allows parsing Docker images to launch elevated privilege containers during build time (Snyk Blog).

When successfully exploited, the vulnerability allows an attacker to execute a privileged container that can use its elevated privileges (such as full Linux capabilities) to escape from the container and achieve full host root command execution (Snyk Blog).

The vulnerability has been patched in BuildKit v0.12.5, Moby (Docker Engine) v25.0.2, and Docker Desktop v4.27.1. Organizations are advised to update to these versions or later. As a workaround, it is recommended to avoid using BuildKit frontends from untrusted sources, as these are typically specified in the #syntax line of Dockerfiles or with the --frontend flag when using buildctl build command (GitHub Advisory, Wiz Blog).