CVE-2019-13139

NameCVE-2019-13139
DescriptionIn Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the underlying "git clone" command, leading to code execution in the context of the user executing the "docker build" command. This occurs because git ref can be misinterpreted as a flag.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs933002

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
docker.io (PTS)buster, bullseye18.09.1+dfsg1-7.1vulnerable
sid18.09.1+dfsg1-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
docker.iosource(unstable)18.09.1+dfsg1-8933002
docker.iosourceexperimental18.09.5+dfsg1-1

Notes

[buster] - docker.io <no-dsa> (Minor issue)
https://github.com/moby/moby/pull/38944
https://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-build/

Search for package or bug name: Reporting problems