CVE-2019-13509

Name
CVE-2019-13509
Description
In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Release Notes https://docs.docker.com/engine/release-notes/
Third Party Advisory http://www.securityfocus.com/bid/109253
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFFBVE7O73TAVY2BCWXSA2OOSLJVCPXC/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N674WD3OBDPHLWY6EABRHQH5ON6SUJBU/
CONFIRM https://security.netapp.com/advisory/ntap-20190828-0003/
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html
DEBIAN https://www.debian.org/security/2019/dsa-4521
BUGTRAQ https://seclists.org/bugtraq/2019/Sep/21

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:docker:docker:17.03.2:6:*:*:enterprise:*:*:* docker == None == 17.03.2
cpe:2.3:a:docker:docker:17.06.2:10:*:*:enterprise:*:*:* docker == None == 17.06.2
cpe:2.3:a:docker:docker:18.03.1:9:*:*:enterprise:*:*:* docker == None == 18.03.1
cpe:2.3:a:docker:docker:*:*:*:*:enterprise:*:*:* docker >= 18.09.0 < 18.09.8

Vulnerable and fixed packages

Source package Branch Version Maintainer Status