In Docker Desktop on Windows before 4.12.0 an argument injection to installer may result in LPE
CVE-2023-0633

7.2HIGH

Key Information:

Vendor: Docker Inc.
Status: Docker Desktop
Vendor: CVE Published:; 25 September 2023

🔔 Create Docker Inc. Vulnerability Alert

What is CVE-2023-0633?

A vulnerability in Docker Desktop on Windows prior to version 4.12.0 allows an attacker to inject arguments into the installer, potentially leading to local privilege escalation. This could enable unauthorized users to gain elevated access to system resources, posing significant security risks for environments utilizing Docker Desktop. Users are encouraged to update to the latest version to mitigate potential threats.

Affected Version(s)

Docker Desktop Windows 0 < 4.12.0

References

https://docs.docker.com/desktop/release-notes/#4120

release-notes

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 25, 2023
Vulnerability Reserved
Feb 1, 2023

Credit

Cure53