CVE-2025-6587

Severity CVSS v4.0:

MEDIUM

Type:

CWE-532 Information Exposure Through Log Files

Publication date:

03/07/2025

Last modified:

03/07/2025

Description

System environment variables are recorded in Docker Desktop diagnostic logs, when using shell auto-completion. This leads to unintentional disclosure of sensitive information such as api keys, passwords, etc. <br /> A malicious actor with read access to these logs could obtain secrets and further use them to gain unauthorized access to other systems. Starting with version 4.43.0 Docker Desktop no longer logs system environment variables as part of diagnostics log collection.

Impact

Vector 4.0

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H CVSS v4.0 Severity and Metrics:

Base Score: 5.20 MEDIUM
Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Attack Requirements (AT): Present
Privileges Required (PR): Low
User Interaction (UI): None
Confidentiality (VC): None
Integrity (VI): None
Availability (VA): None
Confidentiality (SC): High
Integrity (SI): High
Availability (SA): High

Base Score 4.0

5.20

Severity 4.0

MEDIUM

References to Advisories, Solutions, and Tools

https://docs.docker.com/desktop/troubleshoot-and-support/troubleshoot/#check-the-logs