Vulnerability Details CVE-2022-34292
Docker Desktop for Windows before 4.6.0 allows attackers to overwrite any file through a symlink attack on the hyperv/create dockerBackendV2 API by controlling the DataFolder parameter for DockerDesktop.vhdx, a similar issue to CVE-2022-31647.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 17.5%
CVSS Severity
CVSS v3 Score 7.1
References
- https://docs.docker.com/desktop/release-notes/#docker-desktop-460
- https://www.cyberark.com/resources/threat-research-blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-2
- https://docs.docker.com/desktop/release-notes/#docker-desktop-460
- https://www.cyberark.com/resources/threat-research-blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-2
Products affected by CVE-2022-34292
-
cpe:2.3:a:docker:desktop:-
-
cpe:2.3:a:docker:desktop:2.1.0.1
-
cpe:2.3:a:docker:desktop:2.1.0.2
-
cpe:2.3:a:docker:desktop:2.1.0.3
-
cpe:2.3:a:docker:desktop:2.1.0.4
-
cpe:2.3:a:docker:desktop:2.1.0.5
-
cpe:2.3:a:docker:desktop:2.2.0.0
-
cpe:2.3:a:docker:desktop:2.2.0.3
-
cpe:2.3:a:docker:desktop:2.2.0.4