CVE-2019-13509
published 2019-07-18CVE-2019-13509: In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add…
PriorityP344high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EPSS
3.65%
88.2th percentile
In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | docker.io | < docker.io 18.09.1+dfsg1-8 (bookworm) | docker.io 18.09.1+dfsg1-8 (bookworm) |
| docker | docker | < 18.09.8 | 18.09.8 |
| docker | docker | — | — |
| docker | docker | — | — |
| docker | docker | — | — |
| docker | docker | >= 18.09.0 < 18.09.8 | 18.09.8 |
| github.com | docker_docker | >= 0 < 18.09.8 | 18.09.8 |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_moby-buildx_0.4.1+azure-3_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
docker: Docker Engine in debug mode may sometimes add secrets to the debug log leading to information disclosure
vendor_redhat·2019-07-23·CVSS 7.5
CVE-2019-13509 [HIGH] CWE-117 docker: Docker Engine in debug mode may sometimes add secrets to the debug log leading to information disclosure
docker: Docker Engine in debug mode may sometimes add secrets to the debug log leading to information disclosure
In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.
Statement: This issue does affect the versions of docker as shipped with Red Hat Enterprise Linux 7, however debug mode on the daemon needs to be explicitly enabled as the docker systemd service, by default, does not enable debug mode.
Red Hat Fuse provides only the Docker client library and is not
Microsoft
In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10) Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a s
vendor_msrc·2019-07-09·CVSS 7.5
CVE-2019-13509 [HIGH] CWE-532 In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10) Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a s
In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10) Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transpar
Debian
CVE-2019-13509: docker.io - In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 an...
vendor_debian·2019·CVSS 7.5
CVE-2019-13509 [HIGH] CVE-2019-13509: docker.io - In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 an...
In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.
Scope: local
bookworm: resolved (fixed in 18.09.1+dfsg1-8)
bullseye: resolved (fixed in 18.09.1+dfsg1-8)
forky: resolved (fixed in 18.09.1+dfsg1-8)
sid: resolved (fixed in 18.09.1+dfsg1-8)
trixie: resolved (fixed in 18.09.1+dfsg1-8)
OSV
Secret insertion into debug log in Docker
osv·2022-05-24
CVE-2019-13509 [HIGH] Secret insertion into debug log in Docker
Secret insertion into debug log in Docker
In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.
GHSA
Secret insertion into debug log in Docker
ghsa·2022-05-24
CVE-2019-13509 [HIGH] CWE-532 Secret insertion into debug log in Docker
Secret insertion into debug log in Docker
In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.
OSV
CVE-2019-13509: In Docker CE and EE before 18
osv·2019-07-18·CVSS 7.5
CVE-2019-13509 [HIGH] CVE-2019-13509: In Docker CE and EE before 18
In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-13509 docker: Docker Engine in debug mode may sometimes add secrets to the debug log leading to information disclosure [epel-6]
bugzilla·2019-07-23·CVSS 7.5
CVE-2019-13509 [HIGH] CVE-2019-13509 docker: Docker Engine in debug mode may sometimes add secrets to the debug log leading to information disclosure [epel-6]
CVE-2019-13509 docker: Docker Engine in debug mode may sometimes add secrets to the debug log leading to information disclosure [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message
Bugzilla
CVE-2019-13509 docker: Docker Engine in debug mode may sometimes add secrets to the debug log leading to information disclosure
bugzilla·2019-07-23·CVSS 7.5
CVE-2019-13509 [HIGH] CVE-2019-13509 docker: Docker Engine in debug mode may sometimes add secrets to the debug log leading to information disclosure
CVE-2019-13509 docker: Docker Engine in debug mode may sometimes add secrets to the debug log leading to information disclosure
In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.
Upstream Issue:
https://docs.docker.com/engine/release-notes/#180908
Discussion:
Created docker tracking bugs for this issue:
Affects: epel-6 [bug 1732420]
Affects: fedora-all [bug 1732419]
---
Upstream patches:
https://github.com/moby/moby/commit/73db8c77bfb2d0cbdf71ce491f3d3e
Bugzilla
CVE-2019-13509 docker: Docker Engine in debug mode may sometimes add secrets to the debug log leading to information disclosure [fedora-all]
bugzilla·2019-07-23·CVSS 7.5
CVE-2019-13509 [HIGH] CVE-2019-13509 docker: Docker Engine in debug mode may sometimes add secrets to the debug log leading to information disclosure [fedora-all]
CVE-2019-13509 docker: Docker Engine in debug mode may sometimes add secrets to the debug log leading to information disclosure [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.htmlhttp://www.securityfocus.com/bid/109253https://docs.docker.com/engine/release-notes/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N674WD3OBDPHLWY6EABRHQH5ON6SUJBU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PFFBVE7O73TAVY2BCWXSA2OOSLJVCPXC/https://seclists.org/bugtraq/2019/Sep/21https://security.netapp.com/advisory/ntap-20190828-0003/https://www.debian.org/security/2019/dsa-4521http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.htmlhttp://www.securityfocus.com/bid/109253https://docs.docker.com/engine/release-notes/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N674WD3OBDPHLWY6EABRHQH5ON6SUJBU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PFFBVE7O73TAVY2BCWXSA2OOSLJVCPXC/https://seclists.org/bugtraq/2019/Sep/21https://security.netapp.com/advisory/ntap-20190828-0003/https://www.debian.org/security/2019/dsa-4521
2019-07-18
Published