GO-2024-2497

Source
https://pkg.go.dev/vuln/GO-2024-2497
Import Source
https://vuln.go.dev/ID/GO-2024-2497.json
Aliases
Published
2024-02-07T04:19:28Z
Modified
2024-02-07T04:41:25.755240Z
Details

BuildKit provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special security.insecure entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request.

References

Affected packages

Go / github.com/moby/buildkit

Affected ranges

Type
SEMVER
Events
Introduced
0The exact introduced commit is unknown
Fixed
0.12.5

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/moby/buildkit/solver/llbsolver",
            "symbols": [
                "Solver.Solve",
                "ValidateEntitlements",
                "llbBridge.Exec",
                "llbBridge.Run",
                "provenanceBridge.Solve"
            ]
        },
        {
            "path": "github.com/moby/buildkit/frontend/gateway/forwarder",
            "symbols": [
                "BridgeClient.NewContainer",
                "GatewayForwarder.Solve",
                "LLBBridgeToGatewayClient"
            ]
        },
        {
            "path": "github.com/moby/buildkit/cmd/buildkitd",
            "symbols": [
                "newController"
            ]
        },
        {
            "path": "github.com/moby/buildkit/frontend/gateway/container",
            "symbols": [
                "NewContainer"
            ]
        },
        {
            "path": "github.com/moby/buildkit/frontend/gateway",
            "symbols": [
                "NewBridgeForwarder",
                "gatewayFrontend.Solve",
                "llbBridgeForwarder.NewContainer",
                "newBridgeForwarder",
                "serveLLBBridgeForwarder"
            ]
        }
    ]
}