Docker Desktop Docker Desktop

Do you want an email whenever new security vulnerabilities are reported in Docker Desktop?

By the Year

In 2024 there have been 0 vulnerabilities in Docker Desktop . Last year Docker Desktop had 8 security vulnerabilities published. Right now, Docker Desktop is on track to have less security vulnerabilities in 2024 than it did last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 8 8.18
2022 1 5.50
2021 0 0.00
2020 1 7.80
2019 0 0.00
2018 0 0.00

It may take a day or so for new Docker Desktop vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Docker Desktop Security Vulnerabilities

In Docker Desktop on Windows before 4.12.0 an argument injection to installer may result in local privilege escalation (LPE).This issue affects Docker Desktop: before 4.12.0.

CVE-2023-0633 7.8 - High - September 25, 2023

In Docker Desktop on Windows before 4.12.0 an argument injection to installer may result in local privilege escalation (LPE).This issue affects Docker Desktop: before 4.12.0.

Argument Injection

Docker Desktop 4.11.x

CVE-2023-0627 7.8 - High - September 25, 2023

Docker Desktop 4.11.x allows --no-windows-containers flag bypass via IPC response spoofing which may lead to Local Privilege Escalation (LPE).This issue affects Docker Desktop: 4.11.X.

Docker Desktop before 4.12.0 is vulnerable to RCE via query parameters in message-box route

CVE-2023-0626 9.8 - Critical - September 25, 2023

Docker Desktop before 4.12.0 is vulnerable to RCE via query parameters in message-box route. This issue affects Docker Desktop: before 4.12.0.

Code Injection

Docker Desktop before 4.12.0 is vulnerable to RCE via a crafted extension description or changelog

CVE-2023-0625 9.8 - Critical - September 25, 2023

Docker Desktop before 4.12.0 is vulnerable to RCE via a crafted extension description or changelog. This issue affects Docker Desktop: before 4.12.0.

Code Injection

Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL

CVE-2023-5166 6.5 - Medium - September 25, 2023

Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL. This issue affects Docker Desktop: before 4.23.0.

Docker Desktop before 4.23.0

CVE-2023-5165 8.8 - High - September 25, 2023

Docker Desktop before 4.23.0 allows an unprivileged user to bypass Enhanced Container Isolation (ECI) restrictions via the debug shell which remains accessible for a short time window after launching Docker Desktop. The affected functionality is available for Docker Business customers only and assumes an environment where users are not granted local root or Administrator privileges. This issue has been fixed in Docker Desktop 4.23.0. Affected Docker Desktop versions: from 4.13.0 before 4.23.0.

AuthZ

Docker Desktop before 4.17.0

CVE-2023-0629 7.1 - High - March 13, 2023

Docker Desktop before 4.17.0 allows an unprivileged user to bypass Enhanced Container Isolation (ECI) restrictions by setting the Docker host to docker.raw.sock, or npipe:////.pipe/docker_engine_linux on Windows, via the -H (--host) CLI flag or the DOCKER_HOST environment variable and launch containers without the additional hardening features provided by ECI. This would not affect already running containers, nor containers launched through the usual approach (without Docker's raw socket). The affected functionality is available for Docker Business customers only and assumes an environment where users are not granted local root or Administrator privileges. This issue has been fixed in Docker Desktop 4.17.0. Affected Docker Desktop versions: from 4.13.0 before 4.17.0.

Docker Desktop before 4.17.0

CVE-2023-0628 7.8 - High - March 13, 2023

Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking a user to open a crafted malicious docker-desktop:// URL.

Command Injection

Docker Desktop version 4.3.0 and 4.3.1 has a bug

CVE-2021-45449 5.5 - Medium - January 12, 2022

Docker Desktop version 4.3.0 and 4.3.1 has a bug that may log sensitive information (access token or password) on the user's machine during login. This only affects users if they are on Docker Desktop 4.3.0, 4.3.1 and the user has logged in while on 4.3.0, 4.3.1. Gaining access to this data would require having access to the users local files.

Insertion of Sensitive Information into Log File

com.docker.vmnetd in Docker Desktop 2.3.0.3

CVE-2020-15360 7.8 - High - June 27, 2020

com.docker.vmnetd in Docker Desktop 2.3.0.3 allows privilege escalation because of a lack of client verification.

AuthZ

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Docker Desktop or by Docker? Click the Watch button to subscribe.

Docker
Vendor

subscribe