Docker Desktop
By the Year
In 2024 there have been 0 vulnerabilities in Docker Desktop . Last year Docker Desktop had 8 security vulnerabilities published. Right now, Docker Desktop is on track to have less security vulnerabilities in 2024 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 0 | 0.00 |
2023 | 8 | 8.18 |
2022 | 1 | 5.50 |
2021 | 0 | 0.00 |
2020 | 1 | 7.80 |
2019 | 0 | 0.00 |
2018 | 0 | 0.00 |
It may take a day or so for new Docker Desktop vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Docker Desktop Security Vulnerabilities
In Docker Desktop on Windows before 4.12.0 an argument injection to installer may result in local privilege escalation (LPE).This issue affects Docker Desktop: before 4.12.0.
CVE-2023-0633
7.8 - High
- September 25, 2023
In Docker Desktop on Windows before 4.12.0 an argument injection to installer may result in local privilege escalation (LPE).This issue affects Docker Desktop: before 4.12.0.
Argument Injection
Docker Desktop 4.11.x
CVE-2023-0627
7.8 - High
- September 25, 2023
Docker Desktop 4.11.x allows --no-windows-containers flag bypass via IPC response spoofing which may lead to Local Privilege Escalation (LPE).This issue affects Docker Desktop: 4.11.X.
Docker Desktop before 4.12.0 is vulnerable to RCE via query parameters in message-box route
CVE-2023-0626
9.8 - Critical
- September 25, 2023
Docker Desktop before 4.12.0 is vulnerable to RCE via query parameters in message-box route. This issue affects Docker Desktop: before 4.12.0.
Code Injection
Docker Desktop before 4.12.0 is vulnerable to RCE via a crafted extension description or changelog
CVE-2023-0625
9.8 - Critical
- September 25, 2023
Docker Desktop before 4.12.0 is vulnerable to RCE via a crafted extension description or changelog. This issue affects Docker Desktop: before 4.12.0.
Code Injection
Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL
CVE-2023-5166
6.5 - Medium
- September 25, 2023
Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL. This issue affects Docker Desktop: before 4.23.0.
Docker Desktop before 4.23.0
CVE-2023-5165
8.8 - High
- September 25, 2023
Docker Desktop before 4.23.0 allows an unprivileged user to bypass Enhanced Container Isolation (ECI) restrictions via the debug shell which remains accessible for a short time window after launching Docker Desktop. The affected functionality is available for Docker Business customers only and assumes an environment where users are not granted local root or Administrator privileges. This issue has been fixed in Docker Desktop 4.23.0. Affected Docker Desktop versions: from 4.13.0 before 4.23.0.
AuthZ
Docker Desktop before 4.17.0
CVE-2023-0629
7.1 - High
- March 13, 2023
Docker Desktop before 4.17.0 allows an unprivileged user to bypass Enhanced Container Isolation (ECI) restrictions by setting the Docker host to docker.raw.sock, or npipe:////.pipe/docker_engine_linux on Windows, via the -H (--host) CLI flag or the DOCKER_HOST environment variable and launch containers without the additional hardening features provided by ECI. This would not affect already running containers, nor containers launched through the usual approach (without Docker's raw socket). The affected functionality is available for Docker Business customers only and assumes an environment where users are not granted local root or Administrator privileges. This issue has been fixed in Docker Desktop 4.17.0. Affected Docker Desktop versions: from 4.13.0 before 4.17.0.
Docker Desktop before 4.17.0
CVE-2023-0628
7.8 - High
- March 13, 2023
Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking a user to open a crafted malicious docker-desktop:// URL.
Command Injection
Docker Desktop version 4.3.0 and 4.3.1 has a bug
CVE-2021-45449
5.5 - Medium
- January 12, 2022
Docker Desktop version 4.3.0 and 4.3.1 has a bug that may log sensitive information (access token or password) on the user's machine during login. This only affects users if they are on Docker Desktop 4.3.0, 4.3.1 and the user has logged in while on 4.3.0, 4.3.1. Gaining access to this data would require having access to the users local files.
Insertion of Sensitive Information into Log File
com.docker.vmnetd in Docker Desktop 2.3.0.3
CVE-2020-15360
7.8 - High
- June 27, 2020
com.docker.vmnetd in Docker Desktop 2.3.0.3 allows privilege escalation because of a lack of client verification.
AuthZ
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Docker Desktop or by Docker? Click the Watch button to subscribe.