SB2019091012 - Debian update for docker.io
Published: September 10, 2019 Updated: March 16, 2023
Security Bulletin ID
SB2019091012
Severity
Medium
Patch available
YES
Number of vulnerabilities
3
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Command Injection (CVE-ID: CVE-2019-13139)
The vulnerability allows a local attacker to inject and execute arbitrary commands on the target system.
The vulnerability exists due to the affected software misinterprets the "git ref" command as a flag. A local authenticated user who is able to execute the "docker build" command and has control over the build path can inject and execute arbitrary commands on the target system.
2) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2019-13509)
The vulnerability allows a local attacker to access sensitive information on a targeted system.
The vulnerability exists due to the software can add secrets to the debug log when the "docker stack deploy" command is used while running in debug mode to redeploy a stack which includes non-external secrets. A local authenticated attacker can gain access to sensitive information, such as secrets in the log files on a targeted system.
3) Insecure dynamic library loading (CVE-ID: CVE-2019-14271)
The vulnerability allows a local user to compromise vulnerable system.
The vulnerability exists due to the application loads NSS libraries in docker cp
in an insecure manner. A local attacker can pass a specially crafted library file to the application and execute arbitrary code on the system with elevated privileges.
Remediation
Install update from vendor's website.