SB2019071825 - Inclusion of Sensitive Information in Log Files in docker (Alpine package)
Published: July 18, 2019
Security Bulletin ID
SB2019071825
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2019-13509)
The vulnerability allows a local attacker to access sensitive information on a targeted system.
The vulnerability exists due to the software can add secrets to the debug log when the "docker stack deploy" command is used while running in debug mode to redeploy a stack which includes non-external secrets. A local authenticated attacker can gain access to sensitive information, such as secrets in the log files on a targeted system.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=24924763d56dd80da5430746a238868ab6cc20d5
- https://git.alpinelinux.org/aports/commit/?id=873f13520c5a2c28b7a91904d7da0656c0a2cf2d
- https://git.alpinelinux.org/aports/commit/?id=a885fe876c9b7f33ca7f3d7daf212f7bae868840
- https://git.alpinelinux.org/aports/commit/?id=c0c44e97533d0c402b3529f7149502e1bf6fc13c