CVE-2020-10665

Name of the Vulnerable Software and Affected Versions Docker Desktop Enterprise versions prior to 2.1.0.9 Docker Desktop for Windows Stable versions prior to 2.2.0.4 Docker Desktop for Windows Edge versions prior to 2.2.2.0 LibreNMS versions prior to 1.48

Description The issue allows for local privilege escalation and arbitrary file writes due to mishandling of diagnostics collection with Administrator privileges. Additionally, there is a problem with insufficient validation or encoding of user-supplied input in graphing scripts, which can lead to injection of RRDtool syntax and various attacks, including disclosure of directory structure and filenames, file content, denial of service, or writing arbitrary files. The html/graph.php script and parameters like html/includes/graphs/common.inc.php and html/includes/graphs/graphs.inc.php are affected.

Recommendations For Docker Desktop Enterprise versions prior to 2.1.0.9, update to version 2.1.0.9 or later. For Docker Desktop for Windows Stable versions prior to 2.2.0.4, update to version 2.2.0.4 or later. For Docker Desktop for Windows Edge versions prior to 2.2.2.0, update to version 2.2.2.0 or later. For LibreNMS versions prior to 1.48, update to version 1.48 or later. As a temporary workaround for LibreNMS, consider restricting access to the html/graph.php script and validating user input for the html/includes/graphs/common.inc.php and html/includes/graphs/graphs.inc.php scripts to prevent RRDtool syntax injection.