docker-docs/data/security_announcements.yaml

announcements:
  - title: "Docker Desktop 4.44.3 security update: CVE-2025-9074"
    date: "2025-08-20"
    anchor: "docker-desktop-4443-security-update-cve-2025-9074"
    summary: "Security fix for CVE-2025-9074"
    description: "Fixed CVE-2025-9074 where a malicious container running on Docker Desktop could access the Docker Engine and launch additional containers without requiring the Docker socket to be mounted. This could allow unauthorized access to user files on the host system. Enhanced Container Isolation (ECI) does not mitigate this vulnerability."

  - title: "Docker Desktop 4.44.0 security update: CVE-2025-23266"
    date: "2025-07-31"
    anchor: "docker-desktop-4440-security-update-cve-2025-23266"
    summary: "NVIDIA Container Toolkit vulnerability awareness"
    description: "CVE-2025-23266 is a critical vulnerability affecting the NVIDIA Container Toolkit in CDI mode up to version 1.17.7. Docker Desktop includes version 1.17.8, which is not impacted. However, older versions of Docker Desktop that bundled earlier toolkit versions may be affected if CDI mode was manually enabled. Upgrade to Docker Desktop 4.44 or later to ensure you're using the patched version."

  - title: "Docker Desktop 4.43.0 security update: CVE-2025-6587"
    date: "2025-07-03"
    anchor: "docker-desktop-4430-security-update-cve-2025-6587"
    summary: "Security fix for CVE-2025-6587"
    description: "Fixed CVE-2025-6587 where sensitive system environment variables were included in Docker Desktop diagnostic logs, allowing for potential secret exposure."

  - title: "Docker Desktop 4.41.0 Security Update: CVE-2025-3224, CVE-2025-4095, and CVE-2025-3911"
    date: "2025-05-15"
    anchor: "docker-desktop-4410-security-update-cve-2025-3224-cve-2025-4095-and-cve-2025-3911"
    summary: "Three security vulnerabilities fixed"
    description: "Three vulnerabilities in Docker Desktop were fixed on April 28 in the 4.41.0 release: CVE-2025-3224 (elevation of privilege during updates), CVE-2025-4095 (Registry Access Management policy bypass on macOS), and CVE-2025-3911 (sensitive information exposure in log files). We strongly encourage updating to Docker Desktop 4.41.0."

  - title: "Docker Desktop 4.34.2 Security Update: CVE-2024-8695 and CVE-2024-8696"
    date: "2024-09-13"
    summary: "Docker Extensions RCE vulnerabilities fixed"
    description: "Two remote code execution (RCE) vulnerabilities in Docker Desktop related to Docker Extensions were reported by Cure53 and fixed on September 12 in the 4.34.2 release. CVE-2024-8695 (Critical) and CVE-2024-8696 (High) could be abused by malicious extensions. No existing extensions exploiting the vulnerabilities were found. We strongly encourage updating to Docker Desktop 4.34.2."

  - title: "Deprecation of password logins on CLI when SSO enforced"
    date: "2024-07-01"
    anchor: "deprecation-of-password-logins-on-cli-when-sso-enforced"
    summary: "CLI password authentication ending for SSO-enforced organizations"
    description: "When SSO enforcement was first introduced, Docker provided a grace period to continue using passwords on the Docker CLI. On September 16, 2024, this grace period will end and passwords will no longer authenticate to Docker Hub via the Docker CLI when SSO is enforced. Affected users must switch to Personal Access Tokens (PATs) to continue signing in."

  - title: "SOC 2 Type 2 attestation and ISO 27001 certification"
    date: "2024-06-01"
    anchor: "soc-2-type-2-attestation-and-iso-27001-certification"
    summary: "Docker achieves security certifications"
    description: "Docker has received SOC 2 Type 2 attestation and ISO 27001 certification with no exceptions or major non-conformities. Security is a fundamental pillar to Docker's operations, and these certifications demonstrate Docker's ongoing commitment to security for our user base."

  - title: "Docker Security Advisory: Multiple Vulnerabilities in runc, BuildKit, and Moby"
    date: "2024-02-02"
    anchor: "docker-security-advisory-multiple-vulnerabilities-in-runc-buildkit-and-moby"
    summary: "Critical container ecosystem vulnerabilities addressed"
    description: "Security researchers at Snyk Labs identified four security vulnerabilities: CVE-2024-21626 (runc), CVE-2024-23651, CVE-2024-23652, CVE-2024-23653 (BuildKit), plus CVE-2024-23650 and CVE-2024-24557. Patched versions were published January 31 with Docker Desktop 4.27.1 released February 1. Update to runc ≥1.1.12, BuildKit ≥0.12.5, Moby ≥25.0.2/24.0.9, and Docker Desktop ≥4.27.1."

  - title: "Text4Shell CVE-2022-42889"
    date: "2022-10-01"
    anchor: "text4shell-cve-2022-42889"
    summary: "Apache Commons Text library vulnerability"
    description: "CVE-2022-42889 discovered in Apache Commons Text library. Versions up to but not including 1.10.0 are affected. Docker Hub security scans after October 21, 2021 correctly identify this CVE. Several Docker Official Images contained vulnerable versions and have been updated: bonita, Couchbase, Geonetwork, neo4j, sliverpeas, solr, xwiki."

  - title: "Log4j 2 CVE-2021-44228"
    date: "2021-12-01"
    anchor: "log4j-2-cve-2021-44228"
    summary: "Critical Log4j 2 remote code execution vulnerability"
    description: "The Log4j 2 CVE-2021-44228 vulnerability allows remote code execution from easily available contexts. Vulnerable versions are 2.0 to 2.14.1 inclusive. First fixed version is 2.15.0, but 2.17.0 recommended for complete fix due to CVE-2021-45046 and CVE-2021-45105. Docker Hub scans after December 13, 2021 correctly identify Log4j 2 CVEs. Multiple Docker Official Images were affected and updated."