Description

docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.

Remediation

References

https://snyk.io/vuln/SNYK-JS-DOCKERCOMPOSEREMOTEAPI-560125

Related Vulnerabilities

CVE-2023-3276 Vulnerability in maven package cn.hutool:hutool-core

CVE-2023-28155 Vulnerability in maven package org.webjars.bower:request

CVE-2022-25896 Vulnerability in npm package passport

CVE-2020-6532 Vulnerability in npm package electron

CVE-2020-15119 Vulnerability in npm package auth0-lock

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory