Vulnerability Details CVE-2022-31647
Docker Desktop before 4.6.0 on Windows allows attackers to delete any file through the hyperv/destroy dockerBackendV2 API via a symlink in the DataFolder parameter, a different vulnerability than CVE-2022-26659.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 17.5%
CVSS Severity
CVSS v3 Score 7.1
References
- https://docs.docker.com/desktop/release-notes/#docker-desktop-460
- https://www.cyberark.com/resources/threat-research-blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-2
- https://docs.docker.com/desktop/release-notes/#docker-desktop-460
- https://www.cyberark.com/resources/threat-research-blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-2
Products affected by CVE-2022-31647
-
cpe:2.3:a:docker:desktop:-
-
cpe:2.3:a:docker:desktop:2.1.0.1
-
cpe:2.3:a:docker:desktop:2.1.0.2
-
cpe:2.3:a:docker:desktop:2.1.0.3
-
cpe:2.3:a:docker:desktop:2.1.0.4
-
cpe:2.3:a:docker:desktop:2.1.0.5
-
cpe:2.3:a:docker:desktop:2.2.0.0
-
cpe:2.3:a:docker:desktop:2.2.0.3
-
cpe:2.3:a:docker:desktop:2.2.0.4