Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.6
CVSSv2

CVE-2019-13139

Published: 22/08/2019 Updated: 24/08/2020
CVSS v2 Base Score: 4.6 | Impact Score: 6.4 | Exploitability Score: 3.9
CVSS v3 Base Score: 8.4 | Impact Score: 5.9 | Exploitability Score: 2.5
VMScore: 411
Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Docker

Vulnerability Summary

In Docker prior to 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the underlying "git clone" command, leading to code execution in the context of the user executing the "docker build" command. This occurs because git ref can be misinterpreted as a flag.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

docker docker

Vendor Advisories

Debian CVElist Bug Report Logs: docker.io: CVE-2019-13139
Debian Bug report logs - #933002 dockerio: CVE-2019-13139 Package: src:dockerio; Maintainer for src:dockerio is Dmitry Smirnov <onlyjob@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 25 Jul 2019 17:27:01 UTC Severity: grave Tags: security, upstream Found in versions dockerio/1809 ...
Debian Security Advisories: DSA-4521-1 docker.io -- security update
Three security vulnerabilities have been discovered in the Docker container runtime: Insecure loading of NSS libraries in docker cp could result in execution of code with root privileges, sensitive data could be logged in debug mode and there was a command injection vulnerability in the docker build command For the stable distribution (buster), th ...
Amazon Linux AMI: ALAS-2019-1316
A command injection flaw was discovered in Docker during the `docker build` command By providing a specially crafted path argument for the container to build, it is possible to inject command options to the `git fetch`/`git checkout` commands that are executed by Docker and to execute code with the privileges of the user running Docker A local at ...
Amazon Linux 2: ALAS2DOCKER-2021-003
Docker Engine before 1809 allows attackers to cause a denial of service (dockerd memory consumption) via a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unixgo, pkg/parsers/parsersgo, and pkg/sysinfo/sysinfogo (CVE-2018-20699) A command injection flaw was discovered in Docker during the `docker build` comman ...
Amazon Linux 2: ALAS2NITRO-ENCLAVES-2021-003
Docker Engine before 1809 allows attackers to cause a denial of service (dockerd memory consumption) via a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unixgo, pkg/parsers/parsersgo, and pkg/sysinfo/sysinfogo (CVE-2018-20699) A command injection flaw was discovered in Docker during the `docker build` comman ...

References

CWE-78https://docs.docker.com/engine/release-notes/#18094https://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-build/https://github.com/moby/moby/pull/38944https://www.debian.org/security/2019/dsa-4521https://security.netapp.com/advisory/ntap-20190910-0001/https://seclists.org/bugtraq/2019/Sep/21https://access.redhat.com/errata/RHBA-2019:3092https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933002https://nvd.nist.govhttps://www.debian.org/security/2019/dsa-4521
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2022-38028CVE-2024-32406CVE-2024-25624IMAPCVE-2024-2310CVE-2024-0874CVE-2024-20359XXEremote code execution
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook