PT-2019-6133 · Docker · Docker Desktop Community Edition+1
Published
2019-07-05
·
Updated
2024-07-25
·
CVE-2019-15752
CVSS v2.0
9.3
High
| Vector | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Docker Desktop Community Edition versions prior to 2.1.0.1
Description
The issue is related to incorrect permission assignment for the docker-credential-wincred.exe file in the %PROGRAMDATA%DockerDesktopversion-bin folder. This could allow a remote attacker to elevate their privileges. A local user can gain privileges by placing a malicious docker-credential-wincred.exe file in the specified folder and waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login'.
Recommendations
For Docker Desktop Community Edition versions prior to 2.1.0.1, update to version 2.1.0.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the docker-credential-wincred.exe file in the %PROGRAMDATA%DockerDesktopversion-bin folder to prevent unauthorized modifications.
Exploit
Fix
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Docker
Docker Desktop Community Edition