GHSA-j249-ghv5-7mxv — high GitHub Advisory (CVE-2019-13509) in go/github.com/docker/docker

描述

In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.

基本信息

类型: reviewed
严重度: high
GitHub 上的公告: 打开公告 ↗
仓库公告: —
源代码: 未指定
公开（公告）: 2022-05-24 16:50:40 UTC
更新时间: 2023-08-15 20:17:39 UTC
GitHub 审核: 2023-08-15 20:17:38 UTC
NVD 公开: 2019-07-18

Score	Percentile
1.55%	81.16%

CVSS Scores

Base score	Version	Severity	Vector
7.5	3.0	—	`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` 点击展开攻击向量 (AV:N) 经互联网或企业内可路由网段即可从远端触达，攻击者不必出现在设备旁。攻击复杂度 (AC:L) 前置条件清晰，成功路径稳定，不依赖罕见竞态或苛刻环境。权限要求 (PR:N) 不必事先登录或提权，匿名会话也可能成为跳板。用户交互 (UI:N) 无需受害者点击链接、放行宏或安装软件，攻击链可自动走完。作用域 (S:U) 破坏局限在脆弱组件原本的安全权限与信任域之内。机密性影响 (C:H) 批量读取、导出或长期潜伏窃取机密数据，在实战上成立。完整性影响 (I:N) 对记录真实性与不可否认性的破坏可忽略。可用性影响 (A:N) 不至于造成业务意义上的长时间停摆或灾难性性能崩塌。

Identifiers

Type	Value
GHSA	GHSA-j249-ghv5-7mxv ↗
CVE	CVE-2019-13509 ↗

CWEs

CWE id	Name
CWE-532	Insertion of Sensitive Information into Log File

Credits

joshbressers (analyst)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
go	github.com/docker/docker	< 18.09.8	18.09.8	—

Secret insertion into debug log in Docker

描述