Show plain JSON{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8696", "assignerOrgId": "686469e6-3ff6-451b-ab8b-cf5b9e89401e", "state": "PUBLISHED", "assignerShortName": "Docker", "dateReserved": "2024-09-11T12:15:42.463Z", "datePublished": "2024-09-12T17:54:34.968Z", "dateUpdated": "2024-09-12T19:27:18.773Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Docker Extensions"], "platforms": ["Windows", "MacOS", "Linux", "x86", "ARM"], "product": "Docker Desktop", "vendor": "Docker", "versions": [{"lessThan": "4.34.2", "status": "affected", "version": "0", "versionType": "semver"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Docker Extensions are enabled"}], "value": "Docker Extensions are enabled"}], "credits": [{"lang": "en", "type": "finder", "value": "Cure53"}], "datePublic": "2024-09-12T16:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A remote code execution (RCE) vulnerability via crafted extension publisher-url/additional-urls could be abused by a malicious extension in Docker Desktop before 4.34.2."}], "value": "A remote code execution (RCE) vulnerability via crafted extension publisher-url/additional-urls could be abused by a malicious extension in Docker Desktop before 4.34.2."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}, {"capecId": "CAPEC-253", "descriptions": [{"lang": "en", "value": "CAPEC-253 Remote Code Inclusion"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 8.9, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "686469e6-3ff6-451b-ab8b-cf5b9e89401e", "shortName": "Docker", "dateUpdated": "2024-09-12T17:54:34.968Z"}, "references": [{"tags": ["release-notes"], "url": "https://docs.docker.com/desktop/release-notes/#4342"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update Docker Desktop to 4.34.2 or a later version"}], "value": "Update Docker Desktop to 4.34.2 or a later version"}], "source": {"discovery": "EXTERNAL"}, "title": "A remote code execution (RCE) vulnerability via crafted extension publisher-url/additional-urls could be abused by a malicious extension in Docker Desktop before 4.34.2.", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.docker.com/extensions/settings-feedback/#turn-on-or-turn-off-extensions\">Turn off Docker Extensions</a><br>"}], "value": "Turn off\u00a0Docker Extensions https://docs.docker.com/extensions/settings-feedback/#turn-on-or-turn-off-extensions"}, {"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Configure a <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.docker.com/extensions/private-marketplace/\">private marketplace</a> with a curated list of trusted extensions (for Docker Business customers only)"}], "value": "Configure a private marketplace https://docs.docker.com/extensions/private-marketplace/ with a curated list of trusted extensions (for Docker Business customers only)"}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "docker", "product": "docker_desktop", "cpes": ["cpe:2.3:a:docker:docker_desktop:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "4.34.2", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-12T19:25:46.342468Z", "id": "CVE-2024-8696", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T19:27:18.773Z"}}]}}