Description

docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.

Remediation

References

https://snyk.io/vuln/SNYK-JS-DOCKERCOMPOSEREMOTEAPI-560125

Related Vulnerabilities

CVE-2021-23450 Vulnerability in npm package dojo

CVE-2023-7148 Vulnerability in maven package ml.shifu:shifu

CVE-2020-7656 Vulnerability in maven package org.webjars.npm:jquery

CVE-2023-45884 Vulnerability in npm package openmct

CVE-2021-32831 Vulnerability in npm package total.js

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory