Your submission was sent successfully! Close

CVE-2019-13139

Published: 22 August 2019

In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the underlying "git clone" command, leading to code execution in the context of the user executing the "docker build" command. This occurs because git ref can be misinterpreted as a flag.

Priority

Unknown

CVSS 3 base score: 8.4

Status

Package Release Status
docker.io
Launchpad, Ubuntu, Debian
Upstream
Released (18.09.4)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(18.09.7)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(18.09.7)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist