CVE-2024-6222
CVSS V2 None
CVSS V3 None
Description
In Docker Desktop before v4.29.0, an attacker who has gained access to the Docker Desktop VM through a container breakout can further escape to the host by passing extensions and dashboard related IPC messages.
Docker Desktop v4.29.0 https://docs.docker.com/desktop/release-notes/#4290 fixes the issue on MacOS, Linux and Windows with Hyper-V backend.
As exploitation requires "Allow only extensions distributed through the Docker Marketplace" to be disabled, Docker Desktop v4.31.0 https://docs.docker.com/desktop/release-notes/#4310 additionally changes the default configuration to enable this setting by default.
Overview
- CVE ID
- CVE-2024-6222
- Assigner
- Docker
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-07-09T17:16:05.646Z
- Last Modified Date
- 2024-07-09T17:16:05.646Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://docs.docker.com/desktop/release-notes/#4290 | release-notes |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-6222 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6222 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-07-10 13:30:34 | Added to TrackCVE |