Vulnerabilities > Docker > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-25 | CVE-2023-0627 | Unspecified vulnerability in Docker Desktop 4.11.0/4.11.1 Docker Desktop 4.11.x allows --no-windows-containers flag bypass via IPC response spoofing which may lead to Local Privilege Escalation (LPE).This issue affects Docker Desktop: 4.11.X. | 7.8 |
| 2023-09-25 | CVE-2023-0633 | Argument Injection or Modification vulnerability in Docker Desktop In Docker Desktop on Windows before 4.12.0 an argument injection to installer may result in local privilege escalation (LPE).This issue affects Docker Desktop: before 4.12.0. | 7.8 |
| 2023-09-25 | CVE-2023-5165 | Missing Authorization vulnerability in Docker Desktop Docker Desktop before 4.23.0 allows an unprivileged user to bypass Enhanced Container Isolation (ECI) restrictions via the debug shell which remains accessible for a short time window after launching Docker Desktop. | 8.8 |
| 2023-04-27 | CVE-2022-31647 | Link Following vulnerability in Docker Desktop Docker Desktop before 4.6.0 on Windows allows attackers to delete any file through the hyperv/destroy dockerBackendV2 API via a symlink in the DataFolder parameter, a different vulnerability than CVE-2022-26659. | 7.1 |
| 2023-04-27 | CVE-2022-34292 | Link Following vulnerability in Docker Desktop Docker Desktop for Windows before 4.6.0 allows attackers to overwrite any file through a symlink attack on the hyperv/create dockerBackendV2 API by controlling the DataFolder parameter for DockerDesktop.vhdx, a similar issue to CVE-2022-31647. | 7.1 |
| 2023-04-27 | CVE-2022-37326 | Unspecified vulnerability in Docker Desktop Docker Desktop for Windows before 4.6.0 allows attackers to delete (or create) any file through the dockerBackendV2 windowscontainers/start API by controlling the pidfile field inside the DaemonJSON field in the WindowsContainerStartRequest class. | 7.8 |
| 2023-04-06 | CVE-2023-1802 | Cleartext Transmission of Sensitive Information vulnerability in Docker Desktop 4.17.0/4.17.1 In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targeted network sniffing attack can lead to a disclosure of sensitive information. | 7.5 |
| 2023-03-13 | CVE-2023-0628 | Command Injection vulnerability in Docker Desktop Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking a user to open a crafted malicious docker-desktop:// URL. | 7.8 |
| 2023-03-13 | CVE-2023-0629 | Unspecified vulnerability in Docker Desktop Docker Desktop before 4.17.0 allows an unprivileged user to bypass Enhanced Container Isolation (ECI) restrictions by setting the Docker host to docker.raw.sock, or npipe:////.pipe/docker_engine_linux on Windows, via the -H (--host) CLI flag or the DOCKER_HOST environment variable and launch containers without the additional hardening features provided by ECI. | 7.1 |
| 2022-05-25 | CVE-2021-44719 | Unspecified vulnerability in Docker Desktop Docker Desktop 4.3.0 has Incorrect Access Control. | 8.4 |