Description

docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.

Remediation

References

https://snyk.io/vuln/SNYK-JS-DOCKERCOMPOSEREMOTEAPI-560125

Related Vulnerabilities

CVE-2023-49379 Vulnerability in maven package com.jfinal:jfinal

CVE-2018-3745 Vulnerability in maven package org.webjars.bowergithub.node-browser-compat:atob

CVE-2022-37223 Vulnerability in maven package com.jflyfox:jflyfox_jfinal

CVE-2022-36599 Vulnerability in maven package net.mingsoft:ms-mcms

CVE-2023-36470 Vulnerability in maven package org.xwiki.platform:xwiki-platform-icon-script

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory