Description

docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.

Remediation

References

https://snyk.io/vuln/SNYK-JS-DOCKERCOMPOSEREMOTEAPI-560125

Related Vulnerabilities

CVE-2020-8135 Vulnerability in npm package @uppy/companion

CVE-2023-49372 Vulnerability in maven package com.jfinal:jfinal

CVE-2021-21290 Vulnerability in maven package io.netty:netty-common

CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-elastic-udfs-parent

CVE-2022-1471 Vulnerability in maven package org.yaml:snakeyaml

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory