CVE-2019-13139 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2019-13139 Interim 1 18 2025-05-01T00:58:35Z current 2021-05-30T14:29:09Z 2025-05-01T00:58:35Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2019-13139 In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the underlying "git clone" command, leading to code execution in the context of the user executing the "docker build" command. This occurs because git ref can be misinterpreted as a flag. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings Magnum Orchestration 7 SUSE CaaS Platform 3.0 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 15 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 15 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 15 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE OpenStack Cloud 6-LTSS docker docker-bash-completion docker-kubic docker as a component of Magnum Orchestration 7 docker-kubic as a component of SUSE CaaS Platform 3.0 docker as a component of SUSE CaaS Platform 3.0 docker as a component of SUSE Linux Enterprise Module for Containers 12 docker as a component of SUSE Linux Enterprise Module for Containers 15 docker-bash-completion as a component of SUSE Linux Enterprise Module for Containers 15 docker as a component of SUSE Linux Enterprise Module for Containers 15 SP1 docker-bash-completion as a component of SUSE Linux Enterprise Module for Containers 15 SP1 docker as a component of SUSE OpenStack Cloud 6-LTSS In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the underlying "git clone" command, leading to code execution in the context of the user executing the "docker build" command. This occurs because git ref can be misinterpreted as a flag. CVE-2019-13139 Magnum Orchestration 7:docker SUSE CaaS Platform 3.0:docker SUSE CaaS Platform 3.0:docker-kubic SUSE Linux Enterprise Module for Containers 12:docker SUSE Linux Enterprise Module for Containers 15 SP1:docker SUSE Linux Enterprise Module for Containers 15 SP1:docker-bash-completion SUSE Linux Enterprise Module for Containers 15:docker SUSE Linux Enterprise Module for Containers 15:docker-bash-completion SUSE OpenStack Cloud 6-LTSS:docker moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P 6.7 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H