Vulnerabilities > CVE-2022-37326 - Unspecified vulnerability in Docker Desktop

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

docker

NVD

Published: 2023-04-27

Updated: 2023-05-09

Summary

Docker Desktop for Windows before 4.6.0 allows attackers to delete (or create) any file through the dockerBackendV2 windowscontainers/start API by controlling the pidfile field inside the DaemonJSON field in the WindowsContainerStartRequest class. This can indirectly lead to privilege escalation.

Vulnerable Configurations

Part	Description	Count
Application	Docker Docker Desktop - Docker Desktop 2.1.0.1 Docker Desktop 2.1.0.2 Docker Desktop 2.1.0.3 Docker Desktop 2.1.0.4 Docker Desktop 2.1.0.5 Docker Desktop 2.2.0.0 Docker Desktop 2.2.0.3 Docker Desktop 2.2.0.4	9

References

https://www.cyberark.com/resources/threat-research-blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-2
https://docs.docker.com/desktop/release-notes/#docker-desktop-460