Description

docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.

Remediation

References

https://snyk.io/vuln/SNYK-JS-DOCKERCOMPOSEREMOTEAPI-560125

Related Vulnerabilities

CVE-2022-38180 Vulnerability in maven package io.ktor:ktor-client-core

CVE-2022-39246 Vulnerability in maven package org.matrix.android:matrix-android-sdk2

CVE-2021-41079 Vulnerability in maven package org.apache.tomcat:tomcat

CVE-2022-43424 Vulnerability in maven package com.compuware.jenkins:compuware-xpediter-code-coverage

CVE-2021-39194 Vulnerability in maven package com.charleskorn.kaml:kaml

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory