Command Injection in Docker Engine

#VU20954 Command Injection in Docker Engine

Published: 2019-09-10

Vulnerability identifier: #VU20954

Vulnerability risk: Low

CVSSv3.1: 7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-13139

CWE-ID: CWE-77

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Docker Engine
Server applications / Virtualization software

Vendor: Docker Inc.

Description

The vulnerability allows a local attacker to inject and execute arbitrary commands on the target system.

The vulnerability exists due to the affected software misinterprets the "git ref" command as a flag. A local authenticated user who is able to execute the "docker build" command and has control over the build path can inject and execute arbitrary commands on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Docker Engine: 0.1.0 - 18.09.3

External links
http://docs.docker.com/engine/release-notes/#18094
http://github.com/moby/moby/pull/38944
http://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-build/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Amazon Linux AMI update for docker

Debian update for docker.io

Command injection in Docker