GHSA-q6pj-jh94-5fpr

Suggest an improvement
Source
https://github.com/advisories/GHSA-q6pj-jh94-5fpr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-q6pj-jh94-5fpr/GHSA-q6pj-jh94-5fpr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q6pj-jh94-5fpr
Aliases
  • CVE-2020-7606
Published
2021-05-07T16:14:39Z
Modified
2023-11-08T04:04:00.125317Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
OS Command Injection in docker-compose-remote-api
Details

docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within index.js of the package, the function exec(serviceName, cmd, fnStdout, fnStderr, fnExit) uses the variable serviceName which can be controlled by users without any sanitization.

Database specific 
{
    "github_reviewed_at": "2021-05-04T20:48:32Z",
    "cwe_ids": [
        "CWE-78"
    ],
    "nvd_published_at": "2020-03-15T22:15:00Z",
    "severity": "CRITICAL",
    "github_reviewed": true
}
References

Affected packages

npm / docker-compose-remote-api

Package

Name
docker-compose-remote-api
View open source insights on deps.dev
Purl
pkg:npm/docker-compose-remote-api

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.1.4