CVE-2023-0625— Docker Desktop before 4.12.0 is vulnerable to RCE via a crafted extension description or changelog
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-0625
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Docker Desktop before 4.12.0 is vulnerable to RCE via a crafted extension description or changelog
Source: NVD (National Vulnerability Database)
Vulnerability Description
Docker Desktop before 4.12.0 is vulnerable to RCE via a crafted extension description or changelog. This issue affects Docker Desktop: before 4.12.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Docker Desktop 代码注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Docker Desktop是美国Docker公司的一个基于容器技术的用于轻量化部署应用的桌面软件。该产品可提供桌面环境可支持在Linux/Windows/Mac OS系统上创建一个容器(轻量级虚拟机)并部署和运行应用程序,以及通过配置文件实现应用程序的自动化安装、部署和升级。 Docker Desktop 存在代码注入漏洞,该漏洞源于通过精心设计的扩展描述或变更日志可以进行远程代码执行攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Docker Inc. | Docker Desktop | 0 ~ 4.12.0 | - |
II. Public POCs for CVE-2023-0625
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-0625
请登录查看更多情报信息。
- https://docs.docker.com/desktop/release-notes/#4120release-notes
- https://nvd.nist.gov/vuln/detail/CVE-2023-0625
Same Patch Batch · Docker Inc. · 2023-09-25 · 6 CVEs total
| CVE-2023-5166 | 8.0 HIGH | Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL |
| CVE-2023-0626 | 8.0 HIGH | Docker Desktop before 4.12.0 is vulnerable to RCE via query parameters in message-box rout |
| CVE-2023-0633 | 7.2 HIGH | In Docker Desktop on Windows before 4.12.0 an argument injection to installer may result i |
| CVE-2023-5165 | 7.1 HIGH | Docker Desktop before 4.23.0 allows Enhanced Container Isolation bypass via debug shell |
| CVE-2023-0627 | 6.7 MEDIUM | Docker Desktop 4.11.x allows --no-windows-containers flag bypass |
IV. Related Vulnerabilities
Same product: Docker Desktop
- CVE-2026-2664
Out of bounds read vulnerability in grpcfuse kernel module - CVE-2025-14740
Docker Desktop for Windows Incorrect Permission Assignment P - CVE-2025-13743
Expired Personal Access Tokens (PATs) are recorded in Docker - CVE-2025-9164
Multiple DLL Search Order Hijacking Vulnerabilities in Docke - CVE-2025-10657
Docker Desktop with ECI Fails to Enforce Socket Command Rest
Same vendor: Docker Inc.
- CVE-2025-14740
Docker Desktop for Windows Incorrect Permission Assignment P - CVE-2024-6222
In Docker Desktop before v4.29.0 an attacker who has gained - CVE-2024-5652
In Docker Desktop on Windows before v4.31.0 allows a user in - CVE-2023-0633
In Docker Desktop on Windows before 4.12.0 an argument injec - CVE-2023-0627
Docker Desktop 4.11.x allows --no-windows-containers flag by
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2023-0625
No comments yet