Docker Users at Risk: Patch Critical CVE-2024-41110 Vulnerability Immediately

Docker has issued a warning about a critical vulnerability in certain versions of Docker Engine that allows attackers to bypass authorization plugins (AuthZ). The vulnerability, tracked as CVE-2024-41110, has received the highest CVSS score of 10.0.

According to a statement from the Moby project developers, “An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly.”

Notably, Docker reports that this issue is very old and long-known. It was first identified in 2018 and fixed in Docker Engine v18.09.1, released in January 2019. However, for some reason, the fix was not carried over to subsequent versions of Docker (19.03 and above).

After the issue was rediscovered in April this year, patches addressing the vulnerability were released in July (versions 23.0.14 and 27.1.0). It is important to note that the following versions of Docker are still vulnerable to CVE-2024-41110 exploitation:

• <= v19.03.15
• <= v20.10.27
• <= v23.0.14
• <= v24.0.9
• <= v25.0.5
• <= v26.0.2
• <= v26.1.4
• <= v27.0.3
• <= v27.1.0

Docker representatives have stated that users of Docker Engine v19.03.x and later versions who do not rely on authorization plugins for access control decisions, as well as users of all versions of Mirantis Container Runtime, are not affected by the identified vulnerability.

It is worth noting that the vulnerability also affects Docker Desktop up to version 4.32.0, although the likelihood of exploitation is limited and requires access to the Docker API, implying local access to the host. The fix will be included in a future release (version 4.33).

“Default Docker Desktop configuration does not include AuthZ plugins,” Docker representatives noted. “Privilege escalation is limited to the Docker Desktop VM, not the underlying host.”

Although Docker has not reported any instances of CVE-2024-41110 being exploited in real-world attacks, users are strongly advised to update their installations to the latest version to prevent potential threats.

Earlier this year, Docker fixed a set of vulnerabilities known as Leaky Vessels, which allowed attackers to gain unauthorized access to the host file system and escape the container.

“While some methods could grant an attacker partial access to the host of a container, other techniques can grant attackers full access to the host,” noted specialists from Palo Alto Networks Unit 42 in a report published last week. “As more organizations use containers, the risk from these escape techniques will likely remain a notable feature of our threat landscape.”

“Sharing the same kernel and often lacking complete isolation from the host’s user-mode, containers are susceptible to various techniques employed by attackers seeking to escape the confines of a container environment,” the researchers explained.