“An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly,” Docker said in the advisory.
The AuthZ plugin would have otherwise denied the request if the body had been forwarded to it, the company added.
Low exploitability
The vulnerability was initially fixed in a January 2019 rollout, Docker Engine v18.09.1. However, subsequent rollouts including Docker Engine v19.03 and newer versions did not include the fix, leading to regression.