GHSA-j249-ghv5-7mxv — high GitHub Advisory (CVE-2019-13509) in go/github.com/docker/docker

描述

In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.

基本資訊

類型: reviewed
嚴重度: high
GitHub 上的公告: 開啟公告 ↗
儲存庫公告: —
原始碼: 未指定
公開（公告）: 2022-05-24 16:50:40 UTC
更新時間: 2023-08-15 20:17:39 UTC
GitHub 審核: 2023-08-15 20:17:38 UTC
NVD 公開: 2019-07-18

Score	Percentile
1.55%	81.16%

CVSS Scores

Base score	Version	Severity	Vector
7.5	3.0	—	`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` 點擊展開攻擊向量 (AV:N) 可經網際網路或企業內可路由網段從遠端觸達，攻擊者不必在裝置旁邊。攻擊複雜度 (AC:L) 前置條件清楚，成功路徑穩定，不必仰賴罕見競態或極端環境。權限需求 (PR:N) 不必事先登入或提權，匿名工作階段也可能成為跳板。使用者互動 (UI:N) 不必受害者點連結、放行巨集或安裝軟體，攻擊鏈可自動走完。作用域 (S:U) 破壞局限在脆弱元件原本的安全權限與信任域之內。機密性影響 (C:H) 大量讀取、匯出或長期潛伏竊取機敏資料，在實務上成立。完整性影響 (I:N) 對紀錄真實性與不可否認性的破壞可忽略。可用性影響 (A:N) 不至於造成業務意義上的長時間停擺或災難性效能崩塌。

Identifiers

Type	Value
GHSA	GHSA-j249-ghv5-7mxv ↗
CVE	CVE-2019-13509 ↗

CWEs

CWE id	Name
CWE-532	Insertion of Sensitive Information into Log File

Credits

joshbressers (analyst)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
go	github.com/docker/docker	< 18.09.8	18.09.8	—

Secret insertion into debug log in Docker

描述