Description

docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.

Remediation

References

https://snyk.io/vuln/SNYK-JS-DOCKERCOMPOSEREMOTEAPI-560125

Related Vulnerabilities

CVE-2022-0512 Vulnerability in npm package url-parse

CVE-2022-45693 Vulnerability in maven package org.codehaus.jettison:jettison

CVE-2022-23463 Vulnerability in maven package com.nepxion:discovery-commons

CVE-2022-43430 Vulnerability in maven package com.compuware.jenkins:compuware-topaz-for-total-test

CVE-2022-21192 Vulnerability in npm package serve-lite

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory