I have tried with the latest version of Docker Desktop
I have tried disabling enabled experimental features
I have uploaded Diagnostics
Diagnostics ID:
Actual behavior
When Access experimental features option is enabled in Docker Desktop (v4.17.1) settings then credentials to private container registry (which uses TLS) are leaked by periodically sending plain HTTP GET requests to example.container.registry:5050/artifactory/api/system/ping endpoint. These requests contains Authorization: Basic XYZ headers so user's credentials are sent as a plaintext through the network.
Screnshot of request:
Screenshot of pcap in wireshark:
I'm using self-hosted Gitlab with Container Registry enabled on port 5050 with active TLS (https). I haven't tested it (yet) on another platforms.
Expected behavior
User credentials should not be leaked!
Information
Windows Version: Windows 10 22H2 19045.2728
Docker Desktop Version: v4.17.1
WSL2 or Hyper-V backend? WSL2
Are you running inside a virtualized Windows e.g. on a cloud server or a VM: I've tested it on physical workstation and on ESXi virtualized Windows 10 also.
Steps to reproduce the behavior
Install Docker Desktop v4.17.1 on Windows 10 with WSL2 enabled.
Login to any private Container Registry using docker login <example.registry.com:5050>.
Make sure that Access experimental features option is enabled.
Pull any image from private repository using docker pull <example.registry.com:5050:test-image:latest>.
Start an network sniffer. Could be Wireshark installed locally or any network sniffing solution on the path between Docker Desktop and Container Registry.
Restart Docker Desktop several times. Click several times on Containers and Images option in application menu. When I was testing the request was mostly sent when Images section was opened after a while of not looking at it.
The text was updated successfully, but these errors were encountered:
Actual behavior
When
Access experimental featuresoption is enabled in Docker Desktop (v4.17.1) settings then credentials to private container registry (which uses TLS) are leaked by periodically sending plain HTTP GET requests toexample.container.registry:5050/artifactory/api/system/pingendpoint. These requests containsAuthorization: Basic XYZheaders so user's credentials are sent as a plaintext through the network.Screnshot of request:


Screenshot of pcap in wireshark:
I'm using self-hosted Gitlab with Container Registry enabled on port 5050 with active TLS (https). I haven't tested it (yet) on another platforms.
Expected behavior
User credentials should not be leaked!
Information
Steps to reproduce the behavior
docker login <example.registry.com:5050>.docker pull <example.registry.com:5050:test-image:latest>.Wiresharkinstalled locally or any network sniffing solution on the path between Docker Desktop and Container Registry.ContainersandImagesoption in application menu. When I was testing the request was mostly sent whenImagessection was opened after a while of not looking at it.The text was updated successfully, but these errors were encountered: