The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in Docker Desktop. When ECI is enabled, Docker
위협 신호 · CVSS · EPSS · KEV
이론적 심각도 점수
30일 내 악용 확률 예측
실측 악용 기록 없음
CVSS 벡터 · 메트릭
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H약점 (CWE)
- CWE-863
잘못된 권한 검사 — 권한 판단 로직 오류로 부적절한 접근 허용.
상세 설명
The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in Docker Desktop. When ECI is enabled, Docker socket mounts from containers are denied unless explicitly allowed via the admin-settings configuration. However, the --use-api-socket flag adds the Docker socket mount via the HostConfig.Mounts field rather than the HostConfig.Binds field. The ECI enforcement in the Docker Desktop API proxy only inspected Binds, allowing the mount to pass unchecked. This grants a container full access to the Docker Engine socket and, if the host user has logged in to container registries, their authentication credentials.
A local attacker with the ability to run Docker CLI commands can exploit this to escape ECI restrictions, access the Docker Engine, and potentially escalate privileges.
AI 심층 분석
공격 시나리오 · 재현 가능한 PoC 페이로드 · 즉시 적용 가능한 차단 패치를 한 번에 받아 보세요. 보안 운영팀이 그대로 점검·티켓팅에 쓸 수 있는 형태로 정리해 드립니다.
영향받는 제품·버전
- docker docker_desktop4.41.0 - 4.59.0other
- apple macosmacos
- linux linux_kernellinux
- microsoft windowswindows
영향받는 구성 (CPE) 4
- docker docker_desktop≥ 4.41.0 < 4.59.0cpe:2.3:a:docker:docker_desktop:*:*:*:*:*:*:*:*
- apple macoscpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
- linux linux_kernelcpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
- microsoft windowscpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
참고 자료 2
- https://docs.docker.com/desktop/release-notes/#4590Release Notes
- https://www.zerodayinitiative.com/advisories/ZDI-26-299/Third Party Advisory
링크 내용 불러오는 중…