Fluid Attacks Database

Description

Secret insertion into debug log in Docker In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	docker.io	>=0 <18.09.1+dfsg1-8	18.09.1+dfsg1-8
debian 14	docker.io	>=0 <18.09.1+dfsg1-8	18.09.1+dfsg1-8
go	github.com/docker/docker	>=0 <18.09.8	18.09.8
debian 11	docker.io	>=0 <18.09.1+dfsg1-8	18.09.1+dfsg1-8
debian 12	docker.io	>=0 <18.09.1+dfsg1-8	18.09.1+dfsg1-8
rpm rhel7	docker	-	-

Aliases

1. CVE-2019-135092. NVD-2019-135093. OSV-DEBIAN-2019-135094. OSV-2019-135095. GCVE-2019-135096. SECURITY-TRACKER-CVE-2019-13509

References

1. https://docs.docker.com/engine/release-notes/18.09