Security News > 2024 > July > You should probably fix this 5-year-old critical Docker vuln fairly sharpish

Docker is warning users to rev their Docker Engine into patch mode after it realized a near-maximum severity vulnerability had been sticking around for five years.

By sending a body-less request, an attacker can force the Docker Engine API client to forward that request to an authorization plugin, which may, in error, approve a request that would have been denied if the body content was forwarded to it.

Docker says the likelihood of this attack being exploited is low, but the vulnerability's CVSS assessment indicates it's a low-complexity attack that requires low-level privileges and no user interaction.

For those running Docker Desktop, a fix is coming in v4.33, but the impact is thought to be less severe than in production environments, Docker said.

To access the Docker API, which is crucial for an exploit, the attacker would already need to have local access to the machine, or have the Docker daemon exposed over TCP. Although vulnerable versions of Docker Engine are in the latest Docker Desktop release, the default Desktop configuration doesn't rely on AuthZ plugins.

Even if the above conditions were working in an attacker's favor, privilege escalation would also only be limited to the Docker Desktop VM and not the host.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/07/25/5yo_docker_vulnerability/