Docker finally fixes a critical security flaw that could have allowed for account hijack

The bug was given a new CVE and a new patch, but we don’t know if anyone found it, and abused it, in the five years since then.

Disabling AuthZ

The vulnerability is now tracked as CVE-2024-41110, and has a perfect vulnerability score of 10/10. All versions up to v19.03.15, v20.10.27, v23.0.14, v24.0.9, v25.0.5, v26.0.2, v26.1.4, v27.0.3, and v27.1.0, for users who use authorization plugins for access control, were said to be vulnerable.

Those that don’t use plugins for authorization, those that use Mirantis Container Runtime, and those using Docker commercial products, are not affected by the vulnerability, regardless of the Docker Engine version they use, it was said. The earliest patched versions are v23.0.14 and v27.1.0.

Docker Desktop 4.32.0, the latest version, was also said to be vulnerable, but the impact is apparently limited, since exploiting the flaw requires access to the docker API, and any escalation of privilege would only be limited to the virtual machine. 

Docker Desktop v4.33.0 will address this issue as well, but it hasn’t been published yet. 

Those who are unable to apply the patch at this time should disable AuthZ plugins, and restrict access to the Docker API to only those users they trust, the company concluded. 

Docker is a platform for developing, shipping, and running applications using containerization technology. It allows developers to package applications and their dependencies into containers, ensuring consistency across various environments. The platform has 13 million of users worldwide, including individual developers, small businesses, and large enterprises.

Via BleepingComputer

More from TechRadar Pro

• Docker instances targeted in major cryptojacking scam
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now