Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Artifactory integration is leaking CR credentials! #13344

Open
2 of 3 tasks
b1czu opened this issue Mar 28, 2023 · 2 comments
Open
2 of 3 tasks

Artifactory integration is leaking CR credentials! #13344

b1czu opened this issue Mar 28, 2023 · 2 comments

Comments

@b1czu
Copy link

b1czu commented Mar 28, 2023

  • I have tried with the latest version of Docker Desktop
  • I have tried disabling enabled experimental features
  • I have uploaded Diagnostics
  • Diagnostics ID:

Actual behavior

When Access experimental features option is enabled in Docker Desktop (v4.17.1) settings then credentials to private container registry (which uses TLS) are leaked by periodically sending plain HTTP GET requests to example.container.registry:5050/artifactory/api/system/ping endpoint. These requests contains Authorization: Basic XYZ headers so user's credentials are sent as a plaintext through the network.

Screnshot of request:
image
Screenshot of pcap in wireshark:
image

I'm using self-hosted Gitlab with Container Registry enabled on port 5050 with active TLS (https). I haven't tested it (yet) on another platforms.

Expected behavior

User credentials should not be leaked!

Information

  • Windows Version: Windows 10 22H2 19045.2728
  • Docker Desktop Version: v4.17.1
  • WSL2 or Hyper-V backend? WSL2
  • Are you running inside a virtualized Windows e.g. on a cloud server or a VM: I've tested it on physical workstation and on ESXi virtualized Windows 10 also.

Steps to reproduce the behavior

  1. Install Docker Desktop v4.17.1 on Windows 10 with WSL2 enabled.
  2. Login to any private Container Registry using docker login <example.registry.com:5050>.
  3. Make sure that Access experimental features option is enabled.
  4. Pull any image from private repository using docker pull <example.registry.com:5050:test-image:latest>.
  5. Start an network sniffer. Could be Wireshark installed locally or any network sniffing solution on the path between Docker Desktop and Container Registry.
  6. Restart Docker Desktop several times. Click several times on Containers and Images option in application menu. When I was testing the request was mostly sent when Images section was opened after a while of not looking at it.
@nicks
Copy link

nicks commented Mar 30, 2023

thank you for the report! we're investigating a fix.

@fblampe
Copy link

fblampe commented Apr 17, 2023

The release notes of version 4.18 say that this was fixed, so I suppose this issue can be closed?

Also, this issue should probably contain a hint that this is CVE-2023-1802, which links back here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants