From 4e73ac6cfb23e46269f9657c1aa37fe0145e3cf4 Mon Sep 17 00:00:00 2001
From: Gabriela Georgieva <gabriela.georgieva@docker.com>
Date: Fri, 13 Sep 2024 14:33:26 +0200
Subject: [PATCH] Add Docker Desktop 4.34.2 security update in Security
 Announcements

---
 content/manuals/security/security-announcements.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/content/manuals/security/security-announcements.md b/content/manuals/security/security-announcements.md
index d03f6e483c..5e06189d06 100644
--- a/content/manuals/security/security-announcements.md
+++ b/content/manuals/security/security-announcements.md
@@ -7,6 +7,19 @@ toc_min: 1
 toc_max: 2
 ---
 
+## Docker Desktop 4.34.2 Security Update: CVE-2024-8695 and CVE-2024-8696
+
+_Last updated September 13, 2024_
+
+Two remote code execution (RCE) vulnerabilities in Docker Desktop related to Docker extensions were reported by [Cure53](https://cure53.de/) and were fixed on September 12 in the [4.34.2](https://docs.docker.com/desktop/release-notes/#4342) release.
+
+- [CVE-2024-8695](https://www.cve.org/cverecord?id=CVE-2024-8695): A remote code execution (RCE) vulnerability via crafted extension description/changelog could be abused by a malicious extension in Docker Desktop before 4.34.2. [Critical]
+- [CVE-2024-8696](https://www.cve.org/cverecord?id=CVE-2024-8696): A remote code execution (RCE) vulnerability via crafted extension publisher-url/additional-urls could be abused by a malicious extension in Docker Desktop before 4.34.2. [High]
+
+No existing extensions exploiting the vulnerabilities were found in the Extensions Marketplace. The Docker team will be closely monitoring and diligently reviewing any requests for publishing new extensions.
+
+We strongly encourage you to update to Docker Desktop [4.34.2](https://docs.docker.com/desktop/release-notes/#4342). If you are unable to update promptly, you can [disable Docker extensions](https://docs.docker.com/extensions/settings-feedback/#turn-on-or-turn-off-extensions) as a workaround.
+
 ## Deprecation of password logins on CLI when SSO enforced
 
 _Last updated July, 2024_