CVE-2018-15514

Name of the Vulnerable Software and Affected Versions Docker for Windows versions prior to 18.06.0-ce-rc3-win68 (edge) and prior to 18.06.0-ce-win72 (stable)

Description The issue allows a malicious user in the "docker-users" group to escalate to administrator privileges by deserializing requests over the named pipe without verifying the validity of the deserialized .NET objects. This is due to the HandleRequestAsync function not properly validating the deserialized .NET objects.

Recommendations For Docker for Windows versions prior to 18.06.0-ce-rc3-win68 (edge) and prior to 18.06.0-ce-win72 (stable), update to version 18.06.0-ce-rc3-win68 (edge) or 18.06.0-ce-win72 (stable) to resolve the issue. As a temporary workaround, consider restricting access to the "docker-users" group to minimize the risk of exploitation.