Vulnerability in buildkit project (CNI portmap)

[ankitdn]

Contributing guidelines and issue reporting guide

• I've read the contributing guidelines and wholeheartedly agree. I've also read the issue reporting guide.

Well-formed report checklist

• I have found a bug that the documentation does not mention anything about my problem
• I have found a bug that there are no open or closed issues that are related to my problem
• I have provided version/information about my environment and done my best to provide a reproducer

Description of bug

While working on buildkit project, I discovered a vulnerability related to Container Networking Plugins. This issue occurs when the portmap plugin is configured to use the nftables backend. Due to improper handling of traffic rules, the plugin forwards all incoming traffic on a specified port, regardless of its intended destination IP.

CVE Report
CVE Link

[AkihiroSuda]

This issue occurs when the portmap plugin is configured to use the nftables backend.

The portmap plugin is unused in BuildKit.

See https://github.com/moby/buildkit/blob/v0.26.2/util/network/cniprovider/bridge.go

[AkihiroSuda]

The false alarm will be silenced in:

• build(deps): bump github.com/containernetworking/plugins from 1.8.0 to 1.9.0 #6404
• Dockerfile: update deps #6426