Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Docker finally fixes a critical security flaw that could have allowed for account hijack

Docker.

Five years ago, Docker fixed a critical-severity vulnerability in Docker Engine that allowed threat actors to bypass authorization plugins and escalate privileges on flawed instances.

However, one of the newer versions, released after the patch, re-introduced the flaw, which apaprently remained present in Docker Engine until only recently. 

The bug was given a new CVE and a new patch, but we don’t know if anyone found it, and abused it, in the five years since then.

Disabling AuthZ

The vulnerability is now tracked as CVE-2024-41110, and has a perfect vulnerability score of 10/10. All versions up to v19.03.15, v20.10.27, v23.0.14, v24.0.9, v25.0.5, v26.0.2, v26.1.4, v27.0.3, and v27.1.0, for users who use authorization plugins for access control, were said to be vulnerable.

Those that don’t use plugins for authorization, those that use Mirantis Container Runtime, and those using Docker commercial products, are not affected by the vulnerability, regardless of the Docker Engine version they use, it was said. The earliest patched versions are v23.0.14 and v27.1.0.

Docker Desktop 4.32.0, the latest version, was also said to be vulnerable, but the impact is apparently limited, since exploiting the flaw requires access to the docker API, and any escalation of privilege would only be limited to the virtual machine. 

Docker Desktop v4.33.0 will address this issue as well, but it hasn’t been published yet. 

Those who are unable to apply the patch at this time should disable AuthZ plugins, and restrict access to the Docker API to only those users they trust, the company concluded. 

Docker is a platform for developing, shipping, and running applications using containerization technology. It allows developers to package applications and their dependencies into containers, ensuring consistency across various environments. The platform has 13 million of users worldwide, including individual developers, small businesses, and large enterprises.

Via BleepingComputer

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.