CVE-2024-23651
Publication date 31 January 2024
Last updated 1 May 2025
Ubuntu priority
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| docker.io | 25.04 plucky |
Vulnerable
|
| 24.10 oracular |
Vulnerable
|
|
| 24.04 LTS noble |
Fixed 20.10.25+dfsg1-2ubuntu1+esm2
|
|
| 22.04 LTS jammy |
Fixed 20.10.21-0ubuntu1~22.04.7+esm2
|
|
| 20.04 LTS focal |
Fixed 20.10.21-0ubuntu1~20.04.6+esm2
|
|
| 18.04 LTS bionic |
Fixed 20.10.21-0ubuntu1~18.04.3+esm3
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Ignored end of standard support | |
| docker.io-app | 25.04 plucky |
Vulnerable
|
| 24.10 oracular |
Vulnerable
|
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Ignored end of standard support |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
alexmurray
Traditionally the docker.io source package contained both the library and docker application. However, in releases that contain the docker.io-app source package, the docker.io source package contains only the library whilst the docker application itself is contained in the docker.io-app package.
sbeattie
docker packages contain an embedded copy of github:moby/buildkit
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.4 · High
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-7474-1
- Docker vulnerabilities
- 1 May 2025