CVE-2019-13139

Source
https://nvd.nist.gov/vuln/detail/CVE-2019-13139
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-13139.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-13139
Related
Published
2019-08-22T20:15:12Z
Modified
2024-09-11T02:00:06Z
Severity
  • 8.4 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the underlying "git clone" command, leading to code execution in the context of the user executing the "docker build" command. This occurs because git ref can be misinterpreted as a flag.

References

Affected packages

Debian:11 / docker.io

Package

Name
docker.io
Purl
pkg:deb/debian/docker.io?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
18.09.1+dfsg1-8

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / docker.io

Package

Name
docker.io
Purl
pkg:deb/debian/docker.io?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
18.09.1+dfsg1-8

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / docker.io

Package

Name
docker.io
Purl
pkg:deb/debian/docker.io?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
18.09.1+dfsg1-8

Ecosystem specific

{
    "urgency": "not yet assigned"
}