CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9348 – Docker Desktop before v4.34.3 allows RCE via unsanitized GitHub source link in Build view
https://notcve.org/view.php?id=CVE-2024-9348
16 Oct 2024 — Docker Desktop before v4.34.3 allows RCE via unsanitized GitHub source link in Build view. Docker Desktop anterior a v4.34.3 permite RCE a través de un enlace de origen de GitHub no desinfectado en la vista de compilación. • https://docs.docker.com/desktop/release-notes/#4343 • CWE-20: Improper Input Validation CWE-116: Improper Encoding or Escaping of Output •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8696 – A remote code execution (RCE) vulnerability via crafted extension publisher-url/additional-urls could be abused by a malicious extension in Docker Desktop before 4.34.2.
https://notcve.org/view.php?id=CVE-2024-8696
12 Sep 2024 — A remote code execution (RCE) vulnerability via crafted extension publisher-url/additional-urls could be abused by a malicious extension in Docker Desktop before 4.34.2. • https://docs.docker.com/desktop/release-notes/#4342 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8695 – A remote code execution (RCE) vulnerability via crafted extension description/changelog could be abused by a malicious extension in Docker Desktop before 4.34.2.
https://notcve.org/view.php?id=CVE-2024-8695
12 Sep 2024 — A remote code execution (RCE) vulnerability via crafted extension description/changelog could be abused by a malicious extension in Docker Desktop before 4.34.2. • https://docs.docker.com/desktop/release-notes/#4342 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6222 – In Docker Desktop before v4.29.0 an attacker who has gained access to the Docker Desktop VM through a container breakout can further escape to the host by passing extensions and dashboard related IPC messages
https://notcve.org/view.php?id=CVE-2024-6222
09 Jul 2024 — In Docker Desktop before v4.29.0, an attacker who has gained access to the Docker Desktop VM through a container breakout can further escape to the host by passing extensions and dashboard related IPC messages. Docker Desktop v4.29.0 https://docs.docker.com/desktop/release-notes/#4290 fixes the issue on MacOS, Linux and Windows with Hyper-V backend. As exploitation requires "Allow only extensions distributed through the Docker Marketplace" to be disabled, Docker Desktop v4.31.0 https://docs.docker.com/deskt... • https://github.com/Florian-Hoth/CVE-2024-6222 • CWE-923: Improper Restriction of Communication Channel to Intended Endpoints •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5652 – In Docker Desktop on Windows before v4.31.0 allows a user in the docker-users group to cause a Windows Denial-of-Service through the exec-path Docker daemon config option in Windows containers mode
https://notcve.org/view.php?id=CVE-2024-5652
09 Jul 2024 — In Docker Desktop on Windows before v4.31.0 allows a user in the docker-users group to cause a Windows Denial-of-Service through the exec-path Docker daemon config option in Windows containers mode. This vulnerability allows local attackers to create a denial-of-service condition on affected installations of Docker Desktop. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Daemon CLI. The ... • https://docs.docker.com/desktop/release-notes/#4310 •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0633 – In Docker Desktop on Windows before 4.12.0 an argument injection to installer may result in LPE
https://notcve.org/view.php?id=CVE-2023-0633
25 Sep 2023 — In Docker Desktop on Windows before 4.12.0 an argument injection to installer may result in local privilege escalation (LPE).This issue affects Docker Desktop: before 4.12.0. En Docker Desktop en Windows anterior a 4.12.0, una inyección de argumento en el instalador puede provocar una escalada de privilegios local (LPE). Este problema afecta a Docker Desktop: anterior a 4.12.0. • https://docs.docker.com/desktop/release-notes/#4120 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0627 – Docker Desktop 4.11.x allows --no-windows-containers flag bypass
https://notcve.org/view.php?id=CVE-2023-0627
25 Sep 2023 — Docker Desktop 4.11.x allows --no-windows-containers flag bypass via IPC response spoofing which may lead to Local Privilege Escalation (LPE).This issue affects Docker Desktop: 4.11.X. Docker Desktop 4.11.x permite omitir el indicador --no-windows-containers a través de la suplantación de respuesta de IPC, lo que puede provocar una escalada de privilegios locales (LPE). Este problema afecta a Docker Desktop: 4.11.X. • https://docs.docker.com/desktop/release-notes/#4120 • CWE-501: Trust Boundary Violation •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0626 – Docker Desktop before 4.12.0 is vulnerable to RCE via query parameters in message-box route
https://notcve.org/view.php?id=CVE-2023-0626
25 Sep 2023 — Docker Desktop before 4.12.0 is vulnerable to RCE via query parameters in message-box route. This issue affects Docker Desktop: before 4.12.0. Docker Desktop anterior a 4.12.0 es vulnerable a RCE a través de parámetros de consulta en la ruta del cuadro de mensajes. Este problema afecta a Docker Desktop: versiones anteriores a 4.12.0. • https://docs.docker.com/desktop/release-notes/#4120 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0625 – Docker Desktop before 4.12.0 is vulnerable to RCE via a crafted extension description or changelog
https://notcve.org/view.php?id=CVE-2023-0625
25 Sep 2023 — Docker Desktop before 4.12.0 is vulnerable to RCE via a crafted extension description or changelog. This issue affects Docker Desktop: before 4.12.0. Docker Desktop anterior a 4.12.0 es vulnerable a RCE a través de una descripción de extensión manipulada o un registro de cambios. Este problema afecta a Docker Desktop: versiones anteriores a 4.12.0. • https://docs.docker.com/desktop/release-notes/#4120 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5166 – Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL
https://notcve.org/view.php?id=CVE-2023-5166
25 Sep 2023 — Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL. This issue affects Docker Desktop: before 4.23.0. Docker Desktop anterior a 4.23.0 permite el robo de tokens de acceso a través de una URL de icono de extensión manipulada. Este problema afecta a Docker Desktop: versiones anteriores a 4.23.0. • https://docs.docker.com/desktop/release-notes/#4230 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •