x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2019-13139

[tatianab]

CVE-2019-13139 references github.com/moby/moby, which may be a Go module.

Description:
In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the underlying "git clone" command, leading to code execution in the context of the user executing the "docker build" command. This occurs because git ref can be misinterpreted as a flag.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-13139
• fix: gitutils: add validation for ref (CVE-2019-13139) moby/moby#38944
• web: https://docs.docker.com/engine/release-notes/#18094
• web: https://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-build/
• web: https://www.debian.org/security/2019/dsa-4521
• web: https://security.netapp.com/advisory/ntap-20190910-0001/
• web: https://seclists.org/bugtraq/2019/Sep/21
• web: https://access.redhat.com/errata/RHBA-2019:3092
• Imported by: https://pkg.go.dev/github.com/moby/moby?tab=importedby

Cross references:

• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2022-24769 #390 EFFECTIVELY_PRIVATE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-8fvr-5rqf-3wwh #638 NOT_IMPORTABLE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-v4h8-794j-g8mm #708 NOT_IMPORTABLE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-vj3f-3286-r4pf #751 NOT_IMPORTABLE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2022-36109 #985 NOT_IMPORTABLE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-vp35-85q5-9f25 #1107 NOT_IMPORTABLE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2023-28840 #1699 EFFECTIVELY_PRIVATE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2023-28841 #1700 EFFECTIVELY_PRIVATE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2023-28842 #1701 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/moby/moby
      vulnerable_at: 24.0.7+incompatible
      packages:
        - package: n/a
cves:
    - CVE-2019-13139
references:
    - fix: https://github.com/moby/moby/pull/38944
    - web: https://docs.docker.com/engine/release-notes/#18094
    - web: https://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-build/
    - web: https://www.debian.org/security/2019/dsa-4521
    - web: https://security.netapp.com/advisory/ntap-20190910-0001/
    - web: https://seclists.org/bugtraq/2019/Sep/21
    - web: https://access.redhat.com/errata/RHBA-2019:3092

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports