CVE-2019-13509: In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometime...

Description

In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.

Metrics

EPSS Probability

3.65%

88.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-532

Affected Software

Vendor	Product	Versions	Update
Docker	Docker	>= 18.09.0, < 18.09.8	—
Docker	Docker	17.03.2	1
Docker	Docker	17.06.2	1
Docker	Docker	18.03.1	1
Docker	Docker	< 18.09.8	—

References

Timeline

Published: Jul 18, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-13509?

In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.

How severe is CVE-2019-13509?

Severity scoring for CVE-2019-13509 is pending analysis. The EPSS model estimates a 3.65% probability of exploitation in the next 30 days.

How do I fix CVE-2019-13509?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.