GO-2024-2494

Source
https://pkg.go.dev/vuln/GO-2024-2494
Import Source
https://vuln.go.dev/ID/GO-2024-2494.json
Aliases
Published
2024-02-12T18:45:16Z
Modified
2024-02-12T19:12:20.130086Z
Details

A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system.

References

Affected packages

Go / github.com/moby/buildkit

Affected ranges

Type
SEMVER
Events
Introduced
0The exact introduced commit is unknown
Fixed
0.12.5

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/moby/buildkit/executor",
            "symbols": [
                "MountStubsCleaner"
            ]
        }
    ]
}