{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-6222","assignerOrgId":"686469e6-3ff6-451b-ab8b-cf5b9e89401e","state":"PUBLISHED","assignerShortName":"Docker","dateReserved":"2024-06-20T18:47:44.854Z","datePublished":"2024-07-09T17:16:05.646Z","dateUpdated":"2024-08-01T21:33:05.292Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","platforms":["Windows","MacOS","Linux"],"product":"Docker Desktop","vendor":"Docker Inc.","versions":[{"lessThan":"v4.29.0","status":"affected","version":"0","versionType":"semver"}]}],"configurations":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Docker Extensions enabled"}],"value":"Docker Extensions enabled"},{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"\"Allow only extensions distributed through the Docker Marketplace\" disabled<br>"}],"value":"\"Allow only extensions distributed through the Docker Marketplace\" disabled"}],"credits":[{"lang":"en","type":"finder","value":"Billy Jheng Bing-Jhong"},{"lang":"en","type":"finder","value":"Đỗ Minh Tuấn"},{"lang":"en","type":"finder","value":"Muhammad Alifa Ramdhan"},{"lang":"en","type":"coordinator","value":"Trend Micro Zero Day Initiative"}],"datePublic":"2024-06-21T10:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"In Docker Desktop before v4.29.0, an attacker who has gained access to the Docker Desktop VM through a container breakout can further escape to the host by passing extensions and dashboard related IPC messages.<br><br>Docker Desktop <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.docker.com/desktop/release-notes/#4290\">v4.29.0</a> fixes the issue on MacOS, Linux and Windows with Hyper-V backend.<br><br>As exploitation requires \"Allow only extensions distributed through the Docker Marketplace\" to be disabled, Docker Desktop&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.docker.com/desktop/release-notes/#4310\">v4.31.0</a>&nbsp;additionally changes the default configuration to enable this setting by default.<br>"}],"value":"In Docker Desktop before v4.29.0, an attacker who has gained access to the Docker Desktop VM through a container breakout can further escape to the host by passing extensions and dashboard related IPC messages.\n\nDocker Desktop  v4.29.0 https://docs.docker.com/desktop/release-notes/#4290  fixes the issue on MacOS, Linux and Windows with Hyper-V backend.\n\nAs exploitation requires \"Allow only extensions distributed through the Docker Marketplace\" to be disabled, Docker Desktop  v4.31.0 https://docs.docker.com/desktop/release-notes/#4310  additionally changes the default configuration to enable this setting by default."}],"impacts":[{"capecId":"CAPEC-480","descriptions":[{"lang":"en","value":"CAPEC-480 Escaping Virtualization"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"LOCAL","baseScore":7.3,"baseSeverity":"HIGH","privilegesRequired":"HIGH","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-923","description":"CWE-923: Improper Restriction of Communication Channel to Intended Endpoints","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"686469e6-3ff6-451b-ab8b-cf5b9e89401e","shortName":"Docker","dateUpdated":"2024-07-09T17:16:05.646Z"},"references":[{"tags":["release-notes"],"url":"https://docs.docker.com/desktop/release-notes/#4290"}],"source":{"discovery":"EXTERNAL"},"title":"In Docker Desktop before v4.29.0 an attacker who has gained access to the Docker Desktop VM through a container breakout can further escape to the host by passing extensions and dashboard related IPC messages","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Disable Docker Extensions or enable \"Allow only extensions distributed through the Docker Marketplace\" from the Settings panel."}],"value":"Disable Docker Extensions or enable \"Allow only extensions distributed through the Docker Marketplace\" from the Settings panel."}],"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"affected":[{"vendor":"docker","product":"desktop","cpes":["cpe:2.3:a:docker:desktop:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThan":"4.29.0","versionType":"custom"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-07-31T00:00:00+00:00","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3","id":"CVE-2024-6222"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-08-01T03:55:55.155Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-01T21:33:05.292Z"},"title":"CVE Program Container","references":[{"tags":["release-notes","x_transferred"],"url":"https://docs.docker.com/desktop/release-notes/#4290"}]}]}}