CVE-2019-13139 — OS Command Injection in Docker
Severity
8.4HIGHNVD
OSV9.8
EPSS
0.5%
top 32.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 22
Latest updateMay 24
Description
In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the underlying "git clone" command, leading to code execution in the context of the user executing the "docker build" command. This occurs because git ref can be misinterpreted as a flag.
CVSS vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.5 | Impact: 5.9
Affected Packages2 packages
Patches
🔴Vulnerability Details
4📋Vendor Advisories
3Microsoft▶
In Docker before 18.09.4 an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "dock↗2019-08-13
Debian▶
CVE-2019-13139: docker.io - In Docker before 18.09.4, an attacker who is capable of supplying or manipulatin...↗2019
💬Community
6Bugzilla▶
CVE-2019-13139 docker: command injection due to a missing validation of the git ref command [epel-6]↗2019-07-30
Bugzilla▶
CVE-2019-13139 docker: command injection due to a missing validation of the git ref command [fedora-all]↗2019-07-30
Bugzilla▶
CVE-2019-13139 docker: command injection due to a missing validation of the git ref command [openstack-rdo]↗2019-07-23
Bugzilla▶
CVE-2019-13139 docker: command injection due to a missing validation of the git ref command [fedora-all]↗2019-07-23
Bugzilla▶
CVE-2019-13139 docker: command injection due to a missing validation of the git ref command↗2019-07-23