Race Condition (Leaky Vessels) Affecting github.com/moby/buildkit/executor/oci package, versions <0.12.5


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.07% (31st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMMOBYBUILDKITEXECUTOROCI-6209338
  • published 31 Jan 2024
  • disclosed 11 Dec 2023
  • credit Rory McNamara (Snyk Security Research)

How to fix?

Upgrade github.com/moby/buildkit/executor/oci to version 0.12.5 or higher.

Overview

Affected versions of this package are vulnerable to Race Condition (Leaky Vessels) in the subpath mounting when two malicious build steps are running in parallel and sharing the same cache mounts. This can lead to files from the host system being accessible to the build container.

Workaround

Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.

This vulnerability was discovered and responsibly disclosed as part of the Leaky Vessels project.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.9 high
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    High
  • User Interaction (UI)
    None
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    None
Expand this section

NVD

7.4 high
Expand this section

Red Hat

7.5 high
Expand this section

SUSE

7.4 high