Vulnerabilities > CVE-2023-5165 - Missing Authorization vulnerability in Docker Desktop

CVSS 8.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

docker

CWE-862

NVD

Published: 2023-09-25

Updated: 2023-09-26

Summary

Docker Desktop before 4.23.0 allows an unprivileged user to bypass Enhanced Container Isolation (ECI) restrictions via the debug shell which remains accessible for a short time window after launching Docker Desktop. The affected functionality is available for Docker Business customers only and assumes an environment where users are not granted local root or Administrator privileges. This issue has been fixed in Docker Desktop 4.23.0. Affected Docker Desktop versions: from 4.13.0 before 4.23.0.

Vulnerable Configurations

Part	Description	Count
Application	Docker Docker Docker Desktop 4.13.0 Docker Docker Desktop 4.13.1 Docker Docker Desktop 4.14.0 Docker Docker Desktop 4.14.1 Docker Docker Desktop 4.15.0 Docker Docker Desktop 4.16.0 Docker Docker Desktop 4.16.1 Docker Docker Desktop 4.16.2 Docker Docker Desktop 4.16.3 Docker Docker Desktop 4.17.0	10

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://docs.docker.com/desktop/release-notes/#4230