Insertion of Sensitive Information into Externally-Accessible File or Directory
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Sensitive information like passwords, secrets, tokens, or API keys should not be passed as Docker build arguments, because these values are stored in image metadata and can be easily retrieved by anyone with access to the image. This exposes secrets even after deployment.
Impact#
If exploited, attackers with access to the Docker image can extract confidential credentials using tools like ‘docker image history’ and potentially gain unauthorized access to internal systems, APIs, or databases, leading to data breaches and further compromise of your infrastructure.