CVE-2022-38730
published 2023-04-27CVE-2022-38730: Docker Desktop for Windows before 4.6 allows attackers to overwrite any file through the windowscontainers/start dockerBackendV2 API by controlling the…
PriorityP431medium6.3CVSS 3.1
AVLACHPRLUINSUCNIHAH
EPSS
0.29%
20.7th percentile
Docker Desktop for Windows before 4.6 allows attackers to overwrite any file through the windowscontainers/start dockerBackendV2 API by controlling the data-root field inside the DaemonJSON field in the WindowsContainerStartRequest class. This allows exploiting a symlink vulnerability in ..\dataRoot\network\files\local-kv.db because of a TOCTOU race condition.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| docker | desktop | < 4.6.0 | 4.6.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Docker Desktop up to 4.5 on Windows dockerBackendV2 API WindowsContainerStartRequest data-root toctou (EUVD-2022-41297)
vuldb·2026-06-24·CVSS 6.3
CVE-2022-38730 [MEDIUM] Docker Desktop up to 4.5 on Windows dockerBackendV2 API WindowsContainerStartRequest data-root toctou (EUVD-2022-41297)
A vulnerability marked as problematic has been reported in Docker Desktop up to 4.5 on Windows. Affected by this vulnerability is the function WindowsContainerStartRequest of the component dockerBackendV2 API. This manipulation of the argument data-root causes time-of-check time-of-use.
This vulnerability appears as CVE-2022-38730. The attacker needs to be present on the local network. There is no available exploit.
It is suggested to upgrade the affected component.
GHSA
GHSA-pmgh-8j9v-4xhf: Docker Desktop for Windows before 4
ghsa_unreviewed·2023-04-27
CVE-2022-38730 [MEDIUM] CWE-367 GHSA-pmgh-8j9v-4xhf: Docker Desktop for Windows before 4
Docker Desktop for Windows before 4.6 allows attackers to overwrite any file through the windowscontainers/start dockerBackendV2 API by controlling the data-root field inside the DaemonJSON field in the WindowsContainerStartRequest class. This allows exploiting a symlink vulnerability in ..\dataRoot\network\files\local-kv.db because of a TOCTOU race condition.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://docs.docker.com/desktop/release-notes/#docker-desktop-460https://www.cyberark.com/resources/threat-research-blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-2https://docs.docker.com/desktop/release-notes/#docker-desktop-460https://www.cyberark.com/resources/threat-research-blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-2
2023-04-27
Published