CVE-2023-5165

{"id": "CVE-2023-5165", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.0}, {"type": "Secondary", "source": "security@docker.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}]}, "published": "2023-09-25T16:15:15.773", "references": [{"url": "https://docs.docker.com/desktop/release-notes/#4230", "tags": ["Release Notes", "Vendor Advisory"], "source": "security@docker.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}, {"type": "Secondary", "source": "security@docker.com", "description": [{"lang": "en", "value": "CWE-424"}, {"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Docker Desktop before 4.23.0 allows an unprivileged user to bypass Enhanced Container Isolation (ECI) restrictions via the debug shell which remains accessible for a short time window after launching Docker Desktop. The affected functionality is available for Docker Business customers only and assumes an environment where users are not granted local root or Administrator privileges. \n\nThis issue has been fixed in Docker Desktop 4.23.0. \n\nAffected Docker Desktop versions: from 4.13.0 before 4.23.0.\n"}, {"lang": "es", "value": "Docker Desktop anterior a 4.23.0 permite a un usuario sin privilegios evitar las restricciones de Enhanced Container Isolation (ECI) a trav\u00e9s del shell de depuraci\u00f3n, al que permanece accesible durante un breve per\u00edodo de tiempo despu\u00e9s de iniciar Docker Desktop. La funcionalidad afectada est\u00e1 disponible solo para clientes de Docker Business y asume un entorno donde los usuarios no reciben privilegios de administrador o root local. Este problema se solucion\u00f3 en Docker Desktop 4.23.0. Versiones de Docker Desktop afectadas: desde 4.13.0 anterior a 4.23.0."}], "lastModified": "2023-09-26T15:50:49.217", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:docker:docker_desktop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B958322D-1E03-46F3-9AFA-0467DE4DC4EC", "versionEndExcluding": "4.23.0", "versionStartIncluding": "4.13.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@docker.com"}