CVE-2019-13139

Impact:
Moderate
Public Date:
2019-03-26
CWE:
CWE-77
Bugzilla:
1732627: CVE-2019-13139 docker: command injection due to a missing validation of the git ref command
A command injection flaw was discovered in Docker during the `docker build` command. By providing a specially crafted path argument for the container to build, it is possible to inject command options to the `git fetch`/`git checkout` commands that are executed by Docker and to execute code with the privileges of the user running Docker. A local attacker who can run `docker build` with a controlled build path, or a remote attacker who has control over the docker build path, could elevate their privileges or execute code.

Find out more about CVE-2019-13139 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Both 1.12 and 1.13 versions of docker shipped with Red Hat Enterprise Linux Extras and OpenShift Container Platform 3 are vulnerable to this flaw, though they are less impacted than upstream. The injected command options passed to docker build through the docker build path are handled by git checkout rather than git fetch, which provides limited options for an attacker to exploit. It is unlikely that code execution is possible, though it cannot be ruled out entirely.

Red Hat Enterprise Linux 7:
This vulnerability is currently targeted to be addressed in an upcoming release.

Red Hat OpenShift Container Platform 3.6:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat OpenShift Container Platform 3.7:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 6.7
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Affected Packages State

Platform Package State
Red Hat OpenShift Container Platform 3.7 docker Out of support scope
Red Hat OpenShift Container Platform 3.6 docker Out of support scope
Red Hat Enterprise Linux 7 docker Affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.
Last Modified