CVE-2019-13139

NameCVE-2019-13139
DescriptionIn Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the underlying "git clone" command, leading to code execution in the context of the user executing the "docker build" command. This occurs because git ref can be misinterpreted as a flag.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4521-1
NVD severitymedium (attack range: local)
Debian Bugs933002

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
docker.io (PTS)buster18.09.1+dfsg1-7.1vulnerable
buster (security)18.09.1+dfsg1-7.1+deb10u1fixed
bullseye18.09.1+dfsg1-9fixed
sid18.09.9+dfsg1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
docker.iosource(unstable)18.09.1+dfsg1-8medium933002
docker.iosourcebuster18.09.1+dfsg1-7.1+deb10u1mediumDSA-4521-1
docker.iosourceexperimental18.09.5+dfsg1-1medium

Notes

https://github.com/moby/moby/pull/38944
https://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-build/

Search for package or bug name: Reporting problems