[GHSA-p436-gjf2-799p] Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows

[schneidergithub]

Updates

• Affected products
• Description

Comments
Adding a workaround option for admins.

[github]

Hi there @thaJeztah! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[Copilot]

Pull request overview

Updates the GHSA advisory text for Docker CLI Plugins to reflect updated metadata and to add an administrative workaround for the Windows uncontrolled search-path privilege escalation scenario.

Changes:

• Updated the advisory modified timestamp.
• Added a workaround recommendation for admins in the advisory details.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[JonathanLEvans]

Hi @schneidergithub,

Thank you for your interest in GHSA-p436-gjf2-799p. As we do not verify work arounds, we cannot approve this change. If @thaJeztah approves the changes, we would be happy to update the advisory.

[schneidergithub]

Hi @JonathanLEvans,
Understood. I am fairly new to contributing here and still learning the process. Is there a way to link to a discussion or something, for devs to discuss potential workarounds on these topics?

[JonathanLEvans]

Looks like this pull request was closed by accident 🙇 .

@schneidergithub, I am not sure what you are asking. If you are asking about adding a reference to GHSA-p436-gjf2-799p, we can any link we want so long as it is public and relevant to the advisory. So if the discussion were to occur in the pull request or somewhere else, we would link to it to keep readers of GHSA-p436-gjf2-799p aware of the discussion.

If you are asking about linking this pull request to a discussion that is happening elsewhere, you should be able to include the link in a comment and GitHub will make the connection.

[schneidergithub]

Hi @JonathanLEvans, My question was essentially about the "workaround" section of the advisory. Currently it states "None", whereas I was thinking that this could be linked to a discussion or include an 'unverified workaround', like the one I proposed.