Docker has issued an urgent security bulletin with fixes for a critical vulnerability in certain versions of Docker Engine that allows attackers to bypass authorization plugins (AuthZ) under specific circumstances. 
The vulnerability, tagged as CVE-2024-41110 with a CVSS severity score of 10/10, was originally found and fixed in 2018 but inexplicably, a January 2019 patch was not carried forward to later major versions, resulting in a regression. 
“Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted,” Docker warned.
“Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it,” according to the advisory.
“An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly,” Docker said.
Affected versions include Docker Engine versions