Description
docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.
Remediation
References
https://snyk.io/vuln/SNYK-JS-DOCKERCOMPOSEREMOTEAPI-560125
Related Vulnerabilities
CVE-2020-8129 Vulnerability in npm package script-manager
CVE-2021-40146 Vulnerability in maven package org.apache.any23:apache-any23-core
CVE-2022-1233 Vulnerability in npm package urijs
CVE-2012-0392 Vulnerability in maven package org.apache.struts.xwork:xwork-core
CVE-2020-36048 Vulnerability in maven package org.webjars.bower:engine.io