Description

docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.

Remediation

References

https://snyk.io/vuln/SNYK-JS-DOCKERCOMPOSEREMOTEAPI-560125

Related Vulnerabilities

CVE-2017-16039 Vulnerability in npm package hftp

CVE-2023-26118 Vulnerability in npm package angular

CVE-2020-35199 Vulnerability in maven package org.igniterealtime.openfire.plugins:bookmarks

CVE-2021-23400 Vulnerability in npm package nodemailer

CVE-2023-34453 Vulnerability in maven package org.xerial.snappy:snappy-java

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory