Buildkit build-time container teardown arbitrary delete (CVE-2024-23652)

A critical vulnerability (CVE-2024-23652) has been discovered in all versions of Docker Buildkit <=v0.12.4, which can result in arbitrary file and directory deletion on the underlying host OS when building an image using a malicious Dockerfile or upstream image. This vulnerability allows for exploitation by an attacker to delete any file in the host filesystem due to Buildkit's root privileges. To mitigate this issue, it is recommended to update Buildkit to version v0.12.5 or later and to use tools such as Snyk's runtime detection tool (leaky-vessels-runtime-detector) or static analysis detector (leaky-vessels-static-detector) for early detection of vulnerable containers. Organizations should also take precautions by using well-maintained parent images, clearing out build caches, and verifying the provenance of parent images to prevent exploitation.