Main Vulnerability Database Vulnerabilities #VU107606

#VU107606 Inclusion of Sensitive Information in Log Files in Buildx - CVE-2025-0495

Published: April 18, 2025

Vulnerability identifier: #VU107606

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-0495

CWE-ID: CWE-532

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Buildx

Software vendor:
Docker Inc.

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry traces as part of the arguments and flags for the traced CLI command. OpenTelemetry traces are also saved in BuildKit daemon's history records.

Remediation

Install updates from vendor's website.

External links

https://bugzilla.suse.com/show_bug.cgi?id=1239765

#VU107606 Inclusion of Sensitive Information in Log Files in Buildx - CVE-2025-0495

Description

Remediation

External links

Please verify you're human