Main Vulnerability Database Vulnerabilities #VU20954

#VU20954 Command Injection in Docker Engine - CVE-2019-13139

Published: September 10, 2019

Vulnerability identifier: #VU20954

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2019-13139

CWE-ID: CWE-77

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Docker Engine

Software vendor:
Docker Inc.

Description

The vulnerability allows a local attacker to inject and execute arbitrary commands on the target system.

The vulnerability exists due to the affected software misinterprets the "git ref" command as a flag. A local authenticated user who is able to execute the "docker build" command and has control over the build path can inject and execute arbitrary commands on the target system.

Remediation

Install updates from vendor's website.

External links

https://docs.docker.com/engine/release-notes/#18094
https://github.com/moby/moby/pull/38944
https://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-build/

#VU20954 Command Injection in Docker Engine - CVE-2019-13139

Description

Remediation

External links

Please verify you're human