CVE-2019-13139
HIGHDocker < 18.09.4 - OS Command Injection via Git Clone Command
Title source: llmDescription
In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the underlying "git clone" command, leading to code execution in the context of the user executing the "docker build" command. This occurs because git ref can be misinterpreted as a flag.
References (7)
Core 7
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/moby/moby/pull/38944
Release Notes, Vendor Advisory x_refsource_misc
https://docs.docker.com/engine/release-notes/#18094
Exploit, Third Party Advisory x_refsource_misc
https://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-build/
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2019/dsa-4521
Vendor Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190910-0001/
Mailing List mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Sep/21
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHBA-2019:3092
Scores
CVSS v3
8.4
EPSS
0.0194
EPSS Percentile
77.6%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (1)
docker/docker
< 18.09.4
Published
Aug 22, 2019
Tracked Since
Feb 18, 2026