CVE-2021-45449

Docker Desktop version 4.3.0 and 4.3.1 has a bug that may log sensitive information (access token or password) on the user's machine during login. This only affects users if they are on Docker Desktop 4.3.0, 4.3.1 and the user has logged in while on 4.3.0, 4.3.1. Gaining access to this data would require having access to the user’s local files.

CVSS v3 5.5 MEDIUM
CVSS v2.0 2.1 LOW

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://docs.docker.com/desktop/windows/release-notes/	Release Notes Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:docker:docker_desktop:4.3.0:::::::*
	cpe:2.3:a:docker:docker_desktop:4.3.1:::::::*

History

No history.

Information

Published : 2022-01-12 20:15

Updated : 2024-02-28 18:48

NVD link : CVE-2021-45449

Mitre link : CVE-2021-45449

CVE.ORG link : CVE-2021-45449

JSON object : View

Products Affected

docker

docker_desktop

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2021-45449", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2022-01-12T20:15:08.567", "references": [{"url": "https://docs.docker.com/desktop/windows/release-notes/", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "Docker Desktop version 4.3.0 and 4.3.1 has a bug that may log sensitive information (access token or password) on the user's machine during login. This only affects users if they are on Docker Desktop 4.3.0, 4.3.1 and the user has logged in while on 4.3.0, 4.3.1. Gaining access to this data would require having access to the user\u2019s local files."}, {"lang": "es", "value": "Docker Desktop versiones 4.3.0 y 4.3.1, presenta un bug que puede registrar informaci\u00f3n confidencial (token de acceso o contrase\u00f1a) en la m\u00e1quina del usuario durante el inicio de sesi\u00f3n. Esto s\u00f3lo afecta a usuarios si est\u00e1n en Docker Desktop versiones 4.3.0, 4.3.1 y el usuario ha iniciado la sesi\u00f3n mientras est\u00e1 en versiones 4.3.0, 4.3.1. Para acceder a estos datos ser\u00eda necesario tener acceso a los archivos locales del usuario"}], "lastModified": "2022-01-19T19:14:43.520", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:docker:docker_desktop:4.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "09B6DCE3-64F2-4F45-B23C-8837AF23146F"}, {"criteria": "cpe:2.3:a:docker:docker_desktop:4.3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "898AE2A9-8207-41E5-A07C-F0AE2E8B0DB5"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}