Description

docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.

Remediation

References

https://snyk.io/vuln/SNYK-JS-DOCKERCOMPOSEREMOTEAPI-560125

Related Vulnerabilities

CVE-2021-43980 Vulnerability in maven package org.apache.tomcat:tomcat

CVE-2022-0512 Vulnerability in npm package url-parse

CVE-2017-16216 Vulnerability in npm package tencent-server

CVE-2020-7690 Vulnerability in maven package org.webjars.npm:jspdf

CVE-2021-41183 Vulnerability in maven package org.webjars:jquery-ui

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory