Description

docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.

Remediation

References

https://snyk.io/vuln/SNYK-JS-DOCKERCOMPOSEREMOTEAPI-560125

Related Vulnerabilities

CVE-2023-37942 Vulnerability in maven package org.jenkins-ci.plugins:external-monitor-job

CVE-2023-42795 Vulnerability in maven package org.apache.tomcat:tomcat

CVE-2023-40346 Vulnerability in maven package io.jenkins.plugins:shortcut-job

CVE-2020-26291 Vulnerability in maven package org.webjars.npm:urijs

CVE-2022-39251 Vulnerability in npm package matrix-js-sdk

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory