Docker has released an urgent security advisory that has fixes for a critical vulnerability in certain versions of Docker Engine that allows attackers to bypass authorization plugins.
The vulnerability, tracked as CVE-2024-41110 with a CVSS score of 10, was initially detected and fixed in 2018, but a January 2019 patch was not carried forward to later major versions, resulting in a regression.
Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request that it would have otherwise denied if the body had been forwarded to it
An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly.
Affected versions are <= v19.03.15, <= v20.10.27, <= v23.0.14, <= v24.0.9, <= v25.0.5 <= v26.0.2 <= v26.1.4 <= v27.0.3, and <= v27.1.0 Patched versions are > v23.0.14 and, > v27.1.0.
Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. Docker said commercial products and internal infrastructures that do not use AuthZ plugins are also unaffected.
Docker Desktop up to v4.32.0 includes affected versions of Docker Engine, but the impact is limited compared to production environments.
Exploitation of thee vulnerability requires access to the Docker API. The default configuration of Docker Desktop does not include AuthZ plugins, and privilege escalation is confined to the Docker Desktop VM, not the underlying host. A patched version of Docker Engine is planned for inclusion in Docker Desktop v4.33.
