{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-3911", "assignerOrgId": "686469e6-3ff6-451b-ab8b-cf5b9e89401e", "state": "PUBLISHED", "assignerShortName": "Docker", "dateReserved": "2025-04-23T20:43:14.232Z", "datePublished": "2025-04-29T17:20:34.740Z", "dateUpdated": "2025-04-29T17:58:50.628Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "MacOS", "Linux"], "product": "Docker Desktop", "vendor": "Docker", "versions": [{"lessThan": "4.41.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Recording of environment variables, configured for running containers, in Docker Desktop application logs could lead to&nbsp;unintentional disclosure of sensitive information such as api keys, passwords, etc.<br><br>A malicious actor with read access to these logs could obtain sensitive credentials information and further use it to gain unauthorized access to other systems. Starting with version 4.41.0, Docker Desktop no longer logs environment variables set by the user.<br>"}], "value": "Recording of environment variables, configured for running containers, in Docker Desktop application logs could lead to\u00a0unintentional disclosure of sensitive information such as api keys, passwords, etc.\n\nA malicious actor with read access to these logs could obtain sensitive credentials information and further use it to gain unauthorized access to other systems. Starting with version 4.41.0, Docker Desktop no longer logs environment variables set by the user."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37 Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 5.2, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532 Insertion of Sensitive Information into Log File", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "686469e6-3ff6-451b-ab8b-cf5b9e89401e", "shortName": "Docker", "dateUpdated": "2025-04-29T17:20:34.740Z"}, "references": [{"url": "https://docs.docker.com/desktop/troubleshoot-and-support/troubleshoot/#check-the-logs"}], "source": {"discovery": "UNKNOWN"}, "title": "Exposure in Docker Desktop logs of environment variables configured for running containers", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-29T17:58:42.810551Z", "id": "CVE-2025-3911", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-29T17:58:50.628Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3911", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-29T17:58:42.810551Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-29T17:58:46.165Z"}}], "cna": {"title": "Exposure in Docker Desktop logs of environment variables configured for running containers", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37 Retrieve Embedded Sensitive Data"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.2, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Docker", "product": "Docker Desktop", "versions": [{"status": "affected", "version": "0", "lessThan": "4.41.0", "versionType": "semver"}], "platforms": ["Windows", "MacOS", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://docs.docker.com/desktop/troubleshoot-and-support/troubleshoot/#check-the-logs"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Recording of environment variables, configured for running containers, in Docker Desktop application logs could lead to\u00a0unintentional disclosure of sensitive information such as api keys, passwords, etc.\n\nA malicious actor with read access to these logs could obtain sensitive credentials information and further use it to gain unauthorized access to other systems. Starting with version 4.41.0, Docker Desktop no longer logs environment variables set by the user.", "supportingMedia": [{"type": "text/html", "value": "Recording of environment variables, configured for running containers, in Docker Desktop application logs could lead to&nbsp;unintentional disclosure of sensitive information such as api keys, passwords, etc.<br><br>A malicious actor with read access to these logs could obtain sensitive credentials information and further use it to gain unauthorized access to other systems. Starting with version 4.41.0, Docker Desktop no longer logs environment variables set by the user.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532 Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "686469e6-3ff6-451b-ab8b-cf5b9e89401e", "shortName": "Docker", "dateUpdated": "2025-04-29T17:20:34.740Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3911", "state": "PUBLISHED", "dateUpdated": "2025-04-29T17:58:50.628Z", "dateReserved": "2025-04-23T20:43:14.232Z", "assignerOrgId": "686469e6-3ff6-451b-ab8b-cf5b9e89401e", "datePublished": "2025-04-29T17:20:34.740Z", "assignerShortName": "Docker"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Recording of environment variables, configured for running containers, in Docker Desktop application logs could lead to\u00a0unintentional disclosure of sensitive information such as api keys, passwords, etc.\n\nA malicious actor with read access to these logs could obtain sensitive credentials information and further use it to gain unauthorized access to other systems. Starting with version 4.41.0, Docker Desktop no longer logs environment variables set by the user."}, {"lang": "es", "value": "El registro de variables de entorno configuradas para la ejecuci\u00f3n de contenedores en los registros de la aplicaci\u00f3n Docker Desktop podr\u00eda provocar la divulgaci\u00f3n involuntaria de informaci\u00f3n confidencial, como claves API, contrase\u00f1as, etc. Un agente malicioso con acceso de lectura a estos registros podr\u00eda obtener informaci\u00f3n confidencial de credenciales y utilizarla para obtener acceso no autorizado a otros sistemas. A partir de la versi\u00f3n 4.41.0, Docker Desktop ya no registra las variables de entorno configuradas por el usuario."}], "id": "CVE-2025-3911", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@docker.com", "type": "Secondary"}]}, "published": "2025-04-29T18:15:44.370", "references": [{"source": "security@docker.com", "url": "https://docs.docker.com/desktop/troubleshoot-and-support/troubleshoot/#check-the-logs"}], "sourceIdentifier": "security@docker.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security@docker.com", "type": "Secondary"}]}

{}

{"created": "2025-06-23T19:31:59.932382+00:00", "updated": "2025-06-23T19:31:59.932431+00:00", "vendors": ["docker", "docker$PRODUCT$docker_desktop"]}