Main Vulnerability Database Vulnerabilities #VU20954

Command Injection in Docker Engine - CVE-2019-13139

Published: September 10, 2019

Vulnerability identifier: #VU20954

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2019-13139

CWE-ID: CWE-77

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Docker Inc.

Affected software:
Docker Engine

Detailed vulnerability description

The vulnerability allows a local attacker to inject and execute arbitrary commands on the target system.

The vulnerability exists due to the affected software misinterprets the "git ref" command as a flag. A local authenticated user who is able to execute the "docker build" command and has control over the build path can inject and execute arbitrary commands on the target system.

How to mitigate CVE-2019-13139

Install updates from vendor's website.

Sources

https://docs.docker.com/engine/release-notes/#18094
https://github.com/moby/moby/pull/38944
https://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-build/

Command Injection in Docker Engine - CVE-2019-13139

Detailed vulnerability description

How to mitigate CVE-2019-13139

Sources

Please verify you're human