CVE-2023-1802

Published: Apr 6, 2023Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targeted network sniffing attack can lead to a disclosure of sensitive information. Only users who have Access Experimental Features enabled and have logged in to a private registry are affected.

Affected (2)

Products: Docker: Desktop

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Docker Desktop	Version 4.17.0
Docker Desktop	Version 4.17.1

Related CWEs

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References (4)

https://docs.docker.com/desktop/release-notes/#4180

Source: security@docker.com

Release Notes

https://github.com/docker/for-win/issues/13344

Source: security@docker.com

Exploit

https://docs.docker.com/desktop/release-notes/#4180

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/docker/for-win/issues/13344

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

Timeline

No history available yet.