CVE-2025-3224

A vulnerability in the update process of Docker Desktop for Windows versions prior to 4.41.0 could allow a local, low-privileged attacker to escalate privileges to SYSTEM. During an update, Docker Desktop attempts to delete files and subdirectories under the path C:\ProgramData\Docker\config with high privileges. However, this directory often does not exist by default, and C:\ProgramData\ allows normal users to create new directories. By creating a malicious Docker\config folder structure at this location, an attacker can force the privileged update process to delete or manipulate arbitrary system files, leading to Elevation of Privilege.

CVSS

No CVSS.

References

Link	Resource
https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks

Configurations

No configuration.

History

29 Apr 2025, 13:52

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad en el proceso de actualización de Docker Desktop para versiones de Windows anteriores a la 4.41.0 podría permitir que un atacante local con pocos privilegios aumente los privilegios a SYSTEM. Durante una actualización, Docker Desktop intenta eliminar archivos y subdirectorios en la ruta C:\ProgramData\Docker\config con privilegios elevados. Sin embargo, este directorio no suele existir por defecto, y C:\ProgramData\ permite a los usuarios crear nuevos directorios. Al crear una estructura de carpetas Docker\config maliciosa en esta ubicación, un atacante puede forzar el proceso de actualización con privilegios para que elimine o manipule archivos arbitrarios del sistema, lo que provoca una elevación de privilegios.

28 Apr 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-28 20:15

Updated : 2025-04-29 13:52

NVD link : CVE-2025-3224

Mitre link : CVE-2025-3224

CVE.ORG link : CVE-2025-3224

JSON object : View

Products Affected

No product.

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

CWE-269

Improper Privilege Management

{"id": "CVE-2025-3224", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@docker.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.3, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-28T20:15:21.127", "references": [{"url": "https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks", "source": "security@docker.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security@docker.com", "description": [{"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the update process of Docker Desktop for Windows versions prior to 4.41.0\u00a0could allow a local, low-privileged attacker to escalate privileges to SYSTEM. During an update, Docker Desktop attempts to delete files and subdirectories under the path C:\\ProgramData\\Docker\\config with high privileges. However, this directory often does not exist by default, and C:\\ProgramData\\ allows normal users to create new directories. By creating a malicious Docker\\config folder structure at this location, an attacker can force the privileged update process to delete or manipulate arbitrary system files, leading to Elevation of Privilege."}, {"lang": "es", "value": "Una vulnerabilidad en el proceso de actualizaci\u00f3n de Docker Desktop para versiones de Windows anteriores a la 4.41.0 podr\u00eda permitir que un atacante local con pocos privilegios aumente los privilegios a SYSTEM. Durante una actualizaci\u00f3n, Docker Desktop intenta eliminar archivos y subdirectorios en la ruta C:\\ProgramData\\Docker\\config con privilegios elevados. Sin embargo, este directorio no suele existir por defecto, y C:\\ProgramData\\ permite a los usuarios crear nuevos directorios. Al crear una estructura de carpetas Docker\\config maliciosa en esta ubicaci\u00f3n, un atacante puede forzar el proceso de actualizaci\u00f3n con privilegios para que elimine o manipule archivos arbitrarios del sistema, lo que provoca una elevaci\u00f3n de privilegios."}], "lastModified": "2025-04-29T13:52:10.697", "sourceIdentifier": "security@docker.com"}