CVE-2024-8696
Description
A remote code execution (RCE) vulnerability via crafted extension publisher-url/additional-urls could be abused by a malicious extension in Docker Desktop before 4.34.2.
CWE
- CWE-79 — CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
- CWE-94 — CWE-94 Improper Control of Generation of Code ('Code Injection')
Affected
- Docker / Docker Desktop — v=0 <4.34.2 [affected]
CVSS
- 4.0 score=8.9 severity=HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References
- https://docs.docker.com/desktop/release-notes/#4342 release-notes
Source
cvelistV5-main/cves/2024/8xxx/CVE-2024-8696.json