CVE-2019-13139

In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the underlying "git clone" command, leading to code execution in the context of the user executing the "docker build" command. This occurs because git ref can be misinterpreted as a flag.

Published: Aug 22, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-13139
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.4
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Low
Score: 4.6
AV:L/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
docker / docker	-	18.09.4

https://access.redhat.com/errata/RHBA-2019:3092
https://docs.docker.com/engine/release-notes/#18094
https://github.com/moby/moby/pull/38944
https://seclists.org/bugtraq/2019/Sep/21
https://security.netapp.com/advisory/ntap-20190910-0001/
https://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-build/
https://www.debian.org/security/2019/dsa-4521

Vulnerability Database

CVE-2019-13139