{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2023 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2019-13139","title":"Title"},{"category":"description","text":"In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the \"docker build\" command would be able to gain command execution. An issue exists in the way \"docker build\" processes remote git URLs, and results in command injection into the underlying \"git clone\" command, leading to code execution in the context of the user executing the \"docker build\" command. This occurs because git ref can be misinterpreted as a flag.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2019-13139","url":"https://www.suse.com/security/cve/CVE-2019-13139"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1145213 for CVE-2019-13139","url":"https://bugzilla.suse.com/1145213"}],"title":"SUSE CVE CVE-2019-13139","tracking":{"current_release_date":"2023-02-15T04:11:03Z","generator":{"date":"2023-02-15T04:11:03Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2019-13139","initial_release_date":"2023-02-15T04:11:03Z","revision_history":[{"date":"2023-02-15T04:11:03Z","number":"2","summary":"Current version"}],"status":"interim","version":"2"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"Magnum Orchestration 7","product":{"name":"Magnum Orchestration 7","product_id":"Magnum Orchestration 7","product_identification_helper":{"cpe":"cpe:/o:suse:openstack-cloud-magnum-orchestration:7"}}},{"category":"product_name","name":"SUSE CaaS Platform 3.0","product":{"name":"SUSE CaaS Platform 3.0","product_id":"SUSE CaaS Platform 3.0","product_identification_helper":{"cpe":"cpe:/o:suse:caasp:3.0"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 15 SP1","product":{"name":"SUSE Linux Enterprise Module for Containers 15 SP1","product_id":"SUSE Linux Enterprise Module for Containers 15 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:15:sp1"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 12","product":{"name":"SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 15","product":{"name":"SUSE Linux Enterprise Module for Containers 15","product_id":"SUSE Linux Enterprise Module for Containers 15","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:15"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 15 SP1","product":{"name":"SUSE Linux Enterprise Module for Containers 15 SP1","product_id":"SUSE Linux Enterprise Module for Containers 15 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:15:sp1"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 12","product":{"name":"SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 12","product":{"name":"SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 12","product":{"name":"SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 12","product":{"name":"SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 15","product":{"name":"SUSE Linux Enterprise Module for Containers 15","product_id":"SUSE Linux Enterprise Module for Containers 15","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:15"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 15 SP1","product":{"name":"SUSE Linux Enterprise Module for Containers 15 SP1","product_id":"SUSE Linux Enterprise Module for Containers 15 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:15:sp1"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 12","product":{"name":"SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 12","product":{"name":"SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 12","product":{"name":"SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 12","product":{"name":"SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 15","product":{"name":"SUSE Linux Enterprise Module for Containers 15","product_id":"SUSE Linux Enterprise Module for Containers 15","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:15"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 15 SP1","product":{"name":"SUSE Linux Enterprise Module for Containers 15 SP1","product_id":"SUSE Linux Enterprise Module for Containers 15 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:15:sp1"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 15 SP1","product":{"name":"SUSE Linux Enterprise Module for Containers 15 SP1","product_id":"SUSE Linux Enterprise Module for Containers 15 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:15:sp1"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 15 SP1","product":{"name":"SUSE Linux Enterprise Module for Containers 15 SP1","product_id":"SUSE Linux Enterprise Module for Containers 15 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:15:sp1"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Containers 15 SP1","product":{"name":"SUSE Linux Enterprise Module for Containers 15 SP1","product_id":"SUSE Linux Enterprise Module for Containers 15 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-containers:15:sp1"}}},{"category":"product_name","name":"SUSE OpenStack Cloud 6-LTSS","product":{"name":"SUSE OpenStack Cloud 6-LTSS","product_id":"SUSE OpenStack Cloud 6-LTSS","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud-ltss:6"}}},{"category":"product_version","name":"docker","product":{"name":"docker","product_id":"docker","product_identification_helper":{"cpe":"cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"docker-bash-completion","product":{"name":"docker-bash-completion","product_id":"docker-bash-completion","product_identification_helper":{"cpe":"cpe:2.3:a:mobyproject:moby:bash:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"docker-kubic","product":{"name":"docker-kubic","product_id":"docker-kubic"}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"docker as component of Magnum Orchestration 7","product_id":"Magnum Orchestration 7:docker"},"product_reference":"docker","relates_to_product_reference":"Magnum Orchestration 7"},{"category":"default_component_of","full_product_name":{"name":"docker-kubic as component of SUSE CaaS Platform 3.0","product_id":"SUSE CaaS Platform 3.0:docker-kubic"},"product_reference":"docker-kubic","relates_to_product_reference":"SUSE CaaS Platform 3.0"},{"category":"default_component_of","full_product_name":{"name":"docker as component of SUSE CaaS Platform 3.0","product_id":"SUSE CaaS Platform 3.0:docker"},"product_reference":"docker","relates_to_product_reference":"SUSE CaaS Platform 3.0"},{"category":"default_component_of","full_product_name":{"name":"docker as component of SUSE Linux Enterprise Module for Containers 12","product_id":"SUSE Linux Enterprise Module for Containers 12:docker"},"product_reference":"docker","relates_to_product_reference":"SUSE Linux Enterprise Module for Containers 12"},{"category":"default_component_of","full_product_name":{"name":"docker as component of SUSE Linux Enterprise Module for Containers 15","product_id":"SUSE Linux Enterprise Module for Containers 15:docker"},"product_reference":"docker","relates_to_product_reference":"SUSE Linux Enterprise Module for Containers 15"},{"category":"default_component_of","full_product_name":{"name":"docker-bash-completion as component of SUSE Linux Enterprise Module for Containers 15","product_id":"SUSE Linux Enterprise Module for Containers 15:docker-bash-completion"},"product_reference":"docker-bash-completion","relates_to_product_reference":"SUSE Linux Enterprise Module for Containers 15"},{"category":"default_component_of","full_product_name":{"name":"docker as component of SUSE Linux Enterprise Module for Containers 15 SP1","product_id":"SUSE Linux Enterprise Module for Containers 15 SP1:docker"},"product_reference":"docker","relates_to_product_reference":"SUSE Linux Enterprise Module for Containers 15 SP1"},{"category":"default_component_of","full_product_name":{"name":"docker-bash-completion as component of SUSE Linux Enterprise Module for Containers 15 SP1","product_id":"SUSE Linux Enterprise Module for Containers 15 SP1:docker-bash-completion"},"product_reference":"docker-bash-completion","relates_to_product_reference":"SUSE Linux Enterprise Module for Containers 15 SP1"},{"category":"default_component_of","full_product_name":{"name":"docker as component of SUSE OpenStack Cloud 6-LTSS","product_id":"SUSE OpenStack Cloud 6-LTSS:docker"},"product_reference":"docker","relates_to_product_reference":"SUSE OpenStack Cloud 6-LTSS"}]},"vulnerabilities":[{"cve":"CVE-2019-13139","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2019-13139"}],"notes":[{"category":"general","text":"In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the \"docker build\" command would be able to gain command execution. An issue exists in the way \"docker build\" processes remote git URLs, and results in command injection into the underlying \"git clone\" command, leading to code execution in the context of the user executing the \"docker build\" command. This occurs because git ref can be misinterpreted as a flag.","title":"Vulnerability description"}],"product_status":{"known not affected":["Magnum Orchestration 7:docker","SUSE CaaS Platform 3.0:docker","SUSE CaaS Platform 3.0:docker-kubic","SUSE Linux Enterprise Module for Containers 12:docker","SUSE Linux Enterprise Module for Containers 15 SP1:docker","SUSE Linux Enterprise Module for Containers 15 SP1:docker-bash-completion","SUSE Linux Enterprise Module for Containers 15:docker","SUSE Linux Enterprise Module for Containers 15:docker-bash-completion","SUSE OpenStack Cloud 6-LTSS:docker"]},"references":[{"category":"external","summary":"CVE-2019-13139","url":"https://www.suse.com/security/cve/CVE-2019-13139"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1145213 for CVE-2019-13139","url":"https://bugzilla.suse.com/1145213"}],"threats":[{"category":"impact","date":"2019-07-23T22:55:39Z","details":"moderate"}],"title":"CVE-2019-13139"}]}