CVE-2025-6587

System environment variables are recorded in Docker Desktop diagnostic logs, when using shell auto-completion. This leads to unintentional disclosure of sensitive information such as api keys, passwords, etc. A malicious actor with read access to these logs could obtain secrets and further use them to gain unauthorized access to other systems. Starting with version 4.43.0 Docker Desktop no longer logs system environment variables as part of diagnostics log collection.

CVSS

No CVSS.

References

Link	Resource
https://docs.docker.com/desktop/troubleshoot-and-support/troubleshoot/#check-the-logs

Configurations

No configuration.

History

03 Jul 2025, 15:13

Type	Values Removed	Values Added
Summary		(es) Las variables de entorno del sistema se registran en los registros de diagnóstico de Docker Desktop al usar el autocompletado del shell. Esto provoca la divulgación involuntaria de información confidencial, como claves de API, contraseñas, etc. Un agente malicioso con acceso de lectura a estos registros podría obtener secretos y utilizarlos para obtener acceso no autorizado a otros sistemas. A partir de la versión 4.43.0, Docker Desktop ya no registra las variables de entorno del sistema como parte de la recopilación de registros de diagnóstico.

03 Jul 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-03 10:15

Updated : 2025-07-03 15:13

NVD link : CVE-2025-6587

Mitre link : CVE-2025-6587

CVE.ORG link : CVE-2025-6587

JSON object : View

Products Affected

No product.

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2025-6587", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@docker.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.2, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-03T10:15:37.773", "references": [{"url": "https://docs.docker.com/desktop/troubleshoot-and-support/troubleshoot/#check-the-logs", "source": "security@docker.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security@docker.com", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "System environment variables are recorded in Docker Desktop diagnostic logs, when using shell auto-completion. This leads to unintentional disclosure of sensitive information such as api keys, passwords, etc.\u00a0\nA malicious actor with read access to these logs could obtain secrets and further use them to gain unauthorized access to other systems. Starting with version 4.43.0 Docker Desktop no longer logs system environment variables as part of diagnostics log collection."}, {"lang": "es", "value": "Las variables de entorno del sistema se registran en los registros de diagn\u00f3stico de Docker Desktop al usar el autocompletado del shell. Esto provoca la divulgaci\u00f3n involuntaria de informaci\u00f3n confidencial, como claves de API, contrase\u00f1as, etc. Un agente malicioso con acceso de lectura a estos registros podr\u00eda obtener secretos y utilizarlos para obtener acceso no autorizado a otros sistemas. A partir de la versi\u00f3n 4.43.0, Docker Desktop ya no registra las variables de entorno del sistema como parte de la recopilaci\u00f3n de registros de diagn\u00f3stico."}], "lastModified": "2025-07-03T15:13:53.147", "sourceIdentifier": "security@docker.com"}