CVE-2024-8695 & CVE-2024-8696: Two Critical RCE Flaws Discovered in Docker Desktop
Docker Desktop, the go-to application for containerized application development, has recently been found to harbor two critical security vulnerabilities that could enable remote code execution (RCE) attacks.
Docker Desktop offers developers a streamlined graphical interface for managing containers, an essential technology for deploying applications consistently across environments. Whether for testing, development, or deployment, Docker Desktop simplifies containerized workflows, making it an indispensable tool for developers, even those without deep knowledge of container infrastructure.
The vulnerabilities, tracked as CVE-2024-8695 and CVE-2024-8696, were discovered in Docker Desktop versions prior to 4.34.2. They stem from the way Docker Desktop handles extension descriptions, changelogs, and publisher URLs. By crafting malicious input in these fields, attackers can trick Docker Desktop into executing arbitrary code on the victim’s system.
Both vulnerabilities have been assigned high CVSS scores, indicating their potential for significant damage. CVE-2024-8695 has a CVSSv4 score of 9.0, while CVE-2024-8696 has a CVSS score of 8.9. These scores highlight the ease with which these vulnerabilities can be exploited and the severe consequences they can have, including:
- Unauthorized access to sensitive data
- Installation of malware
- Complete takeover of the affected system
Given the severity of these vulnerabilities and the widespread use of Docker Desktop, it is crucial for users to take immediate action to protect themselves. Docker has already released a patched version, 4.34.2, that addresses these vulnerabilities. All users are strongly urged to update to this version as soon as possible.
In addition to updating, users should also exercise caution when installing extensions from untrusted sources. Always verify the legitimacy of an extension before installing it, and pay close attention to any warnings or unusual behavior during the installation process.
