CVE-2021-37841: 
Docker Desktop vulnerability analysis and mitigation

Docker Desktop before version 3.6.0 contains an incorrect access control vulnerability (CVE-2021-37841). The vulnerability allows a low-privileged account with access to the server running Windows containers to achieve full container compromise in both process isolation and Hyper-V isolation modes. This vulnerability was disclosed in August 2021 and affects Docker Desktop versions prior to 3.6.0 (NVD, Docker Release Notes).

The vulnerability stems from incorrect access control implementation in Docker Desktop's Windows container functionality. It has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource) (NVD).

The security issue enables an attacker with low privileges to read and write data, and potentially execute code inside the containers. This affects containers running in both process isolation and Hyper-V isolation modes, effectively compromising the container security boundaries (NVD).

The vulnerability has been fixed in Docker Desktop version 3.6.0. Users running affected versions should upgrade to version 3.6.0 or later to mitigate this security issue (Docker Release Notes).