CVE-2022-34292: 
Docker Desktop vulnerability analysis and mitigation

Docker Desktop for Windows before 4.6.0 allows attackers to overwrite any file through a symlink attack on the hyperv/create dockerBackendV2 API by controlling the DataFolder parameter for DockerDesktop.vhdx, a similar issue to CVE-2022-31647 (NVD, Docker Release Notes).

The vulnerability exists in the hyperv/create API function implemented by CreateOrConfigureAsync, which uses GetDiskPath to extract the DataFolder field from the settings object. The function creates a default DockerDesktop.vhdx file based on the path in the DataFolder field, allowing an attacker to specify arbitrary locations. The vmms.exe service creates the file instead of com.docker.service, enabling attackers to exploit this behavior through junction directory and object manager symlink techniques to rename and write files to privileged locations. The vulnerability has a CVSS v3.1 base score of 7.1 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) (NVD, CyberArk Research).

Successful exploitation allows attackers to overwrite any file on the system through a symlink attack, potentially leading to privilege escalation and system compromise (CyberArk Research).

The vulnerability was fixed in Docker Desktop version 4.6.0. Users should upgrade to this version or later to mitigate the risk. No workarounds are available for unpatched systems (Docker Release Notes).