CVE-2019-13139 (retired)

In Docker before 18.09.4, an attacker who is capable of supplying or
manipulating the build path for the "docker build" command would be able to
gain command execution. An issue exists in the way "docker build" processes
remote git URLs, and results in command injection into the underlying "git
clone" command, leading to code execution in the context of the user
executing the "docker build" command. This occurs because git ref can be
misinterpreted as a flag.
Upstream:released (18.09.4)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (18.09.7)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (18.09.7)
Ubuntu 19.04 (Disco Dingo):not-affected (18.09.7)
Ubuntu 19.10 (Eoan):not-affected (18.09.7)
More Information

Updated: 2019-09-19 16:07:20 UTC (commit d32ebc32606b9517c6fa7d65a15441e2a57a6de5)