Vulnerability Details : CVE-2023-1802
In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targeted network sniffing attack can lead to a disclosure of sensitive information. Only users who have Access Experimental Features enabled and have logged in to a private registry are affected.
Products affected by CVE-2023-1802
- cpe:2.3:a:docker:desktop:4.17.0:*:*:*:*:windows:*:*
- cpe:2.3:a:docker:desktop:4.17.1:*:*:*:*:windows:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-1802
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-1802
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST | |
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
Docker Inc. |
CWE ids for CVE-2023-1802
-
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Assigned by:
- nvd@nist.gov (Primary)
- security@docker.com (Secondary)
References for CVE-2023-1802
-
https://github.com/docker/for-win/issues/13344
Artifactory integration is leaking CR credentials! · Issue #13344 · docker/for-win · GitHubExploit
-
https://docs.docker.com/desktop/release-notes/#4180
Docker Desktop release notesRelease Notes
Jump to