Description
docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.
Remediation
References
https://snyk.io/vuln/SNYK-JS-DOCKERCOMPOSEREMOTEAPI-560125
Related Vulnerabilities
CVE-2020-8135 Vulnerability in npm package @uppy/companion
CVE-2023-49372 Vulnerability in maven package com.jfinal:jfinal
CVE-2021-21290 Vulnerability in maven package io.netty:netty-common
CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-elastic-udfs-parent
CVE-2022-1471 Vulnerability in maven package org.yaml:snakeyaml