In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed
CVE-2023-1802

5.9MEDIUM

Key Information:

Vendor: Docker
Status: Docker Desktop
Vendor: CVE Published:; 6 April 2023

What is CVE-2023-1802?

In Docker Desktop version 4.17.x, a vulnerability exists in the Artifactory Integration where registry credentials may be sent over unencrypted HTTP instead of HTTPS if the HTTPS health check fails. This flaw primarily affects users with Access Experimental Features enabled who are logged into a private registry, making them potentially susceptible to targeted network sniffing attacks that could lead to the exposure of sensitive information.

Affected Version(s)

Docker Desktop Windows 4.17.0 < 4.18.0

References

https://docs.docker.com/desktop/release-notes/#4180

release-notes

https://github.com/docker/for-win/issues/13344

issue-tracking

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2023
Vulnerability Reserved
Apr 3, 2023