Description
docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.
Remediation
References
https://snyk.io/vuln/SNYK-JS-DOCKERCOMPOSEREMOTEAPI-560125
Related Vulnerabilities
CVE-2017-16039 Vulnerability in npm package hftp
CVE-2023-26118 Vulnerability in npm package angular
CVE-2020-35199 Vulnerability in maven package org.igniterealtime.openfire.plugins:bookmarks
CVE-2021-23400 Vulnerability in npm package nodemailer
CVE-2023-34453 Vulnerability in maven package org.xerial.snappy:snappy-java