CVE-2024-5652: 
Docker Desktop vulnerability analysis and mitigation

In Docker Desktop on Windows before v4.31.0, a vulnerability was discovered that allows users in the docker-users group to cause a Windows Denial-of-Service through the exec-path Docker daemon config option in Windows containers mode. The vulnerability was assigned CVE-2024-5652 and was disclosed on July 9, 2024 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. This indicates that the vulnerability requires local access, low attack complexity, low privileges, and no user interaction, while potentially causing high availability impact (NVD, ZDI).

The vulnerability affects system availability by allowing an attacker to create a denial-of-service condition on affected installations of Docker Desktop. The specific flaw exists within the Daemon CLI, where improper validation of a user-supplied path prior to using it in file operations can be exploited (ZDI).

Docker has released version 4.31.0 to address this vulnerability. Users are advised to upgrade to this version or later to mitigate the risk (Docker Release Notes).