Docker has recently issued security updates to address a critical vulnerability affecting certain versions of Docker Engine. The flaw, tracked as CVE-2024-41110, allows attackers to bypass authorization plugins by sending a specially crafted API request with a Content-Length of 0. This oversight, initially fixed in Docker Engine v18.09.1, was not carried forward in later versions, allowing the issue to resurface and remain undetected until April 2024.
The vulnerability poses significant risks, as it enables unauthorized access and privilege escalation by tricking the Docker daemon into forwarding requests to the AuthZ plugin without proper validation. This means that requests could be approved without the necessary checks, leading to potential security breaches. Although the flaw was present for about five years, it remains unclear whether it was exploited in the wild.
Docker has now released patches for all supported Docker Engine versions to address this issue. Users are advised to update to versions v23.0.14 or v27.1.0 to mitigate the risks associated with this vulnerability. Docker Desktop users should be aware that the latest version 4.32.0 still includes the vulnerable Docker Engine, but upcoming version 4.33.0 will resolve the problem.
For users unable to update immediately, it is recommended to disable AuthZ plugins and restrict Docker API access to trusted users only. This precaution helps to minimize the risk of exploitation until users can transition to a secure version of Docker Engine.
Reference:
