CVE-2019-13139

NameCVE-2019-13139
DescriptionIn Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the underlying "git clone" command, leading to code execution in the context of the user executing the "docker build" command. This occurs because git ref can be misinterpreted as a flag.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-4521-1
Debian Bugs933002

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
docker.io (PTS)buster, buster (security)18.09.1+dfsg1-7.1+deb10u3fixed
bullseye20.10.5+dfsg1-1+deb11u2fixed
bookworm20.10.24+dfsg1-1fixed
sid, trixie20.10.25+dfsg1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
docker.iosourceexperimental18.09.5+dfsg1-1
docker.iosourcebuster18.09.1+dfsg1-7.1+deb10u1DSA-4521-1
docker.iosource(unstable)18.09.1+dfsg1-8933002

Notes

https://github.com/moby/moby/pull/38944
https://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-build/
Search for package or bug name: Reporting problems