Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE2cGotamg5NC01ZnBy
OS Command Injection in docker-compose-remote-api
docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within index.js of the package, the function exec(serviceName, cmd, fnStdout, fnStderr, fnExit) uses the variable serviceName which can be controlled by users without any sanitization.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE2cGotamg5NC01ZnBy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 3 years ago
Updated: 8 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-q6pj-jh94-5fpr, CVE-2020-7606
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-7606
- https://snyk.io/vuln/SNYK-JS-DOCKERCOMPOSEREMOTEAPI-560125
- https://github.com/advisories/GHSA-q6pj-jh94-5fpr
Affected Packages
npm:docker-compose-remote-api
Dependent packages: 3Dependent repositories: 1
Downloads: 13 last month
Affected Version Ranges: <= 0.1.4
No known fixed version
All affected versions: 0.1.1, 0.1.2, 0.1.3, 0.1.4