CVE-2024-8696

Summary

A remote code execution (RCE) vulnerability via crafted extension publisher-url/additional-urls could be abused by a malicious extension in Docker Desktop before 4.34.2.

Affected Software

VendorProductVersion RangeStatus
DockerDocker Desktop0 < 4.34.2affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
  • CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')

Workarounds

Turn off Docker Extensions https://docs.docker.com/extensions/settings-feedback/#turn-on-or-turn-off-extensions Configure a private marketplace https://docs.docker.com/extensions/private-marketplace/ with a curated list of trusted extensions (for Docker Business customers only)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References