Description
docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within `index.js` of the package, the function `exec(serviceName, cmd, fnStdout, fnStderr, fnExit)` uses the variable `serviceName` which can be controlled by users without any sanitization.
Affected Software
Related
{"id": "GHSA-Q6PJ-JH94-5FPR", "vendorId": null, "type": "github", "bulletinFamily": "software", "title": "OS Command Injection in docker-compose-remote-api", "description": "docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within `index.js` of the package, the function `exec(serviceName, cmd, fnStdout, fnStderr, fnExit)` uses the variable `serviceName` which can be controlled by users without any sanitization.", "published": "2021-05-07T16:14:39", "modified": "2023-09-11T22:26:16", "epss": [{"cve": "CVE-2020-7606", "epss": 0.00971, "percentile": 0.81567, "modified": "2023-12-06"}], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://github.com/advisories/GHSA-q6pj-jh94-5fpr", "reporter": "GitHub Advisory Database", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2020-7606", "https://snyk.io/vuln/SNYK-JS-DOCKERCOMPOSEREMOTEAPI-560125", "https://github.com/advisories/GHSA-q6pj-jh94-5fpr"], "cvelist": ["CVE-2020-7606"], "immutableFields": [], "lastseen": "2023-12-06T17:29:46", "viewCount": 42, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-7606"]}, {"type": "osv", "idList": ["OSV:GHSA-Q6PJ-JH94-5FPR"]}, {"type": "prion", "idList": ["PRION:CVE-2020-7606"]}, {"type": "veracode", "idList": ["VERACODE:22719"]}]}, "score": {"value": 9.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-7606"]}, {"type": "kitploit", "idList": ["KITPLOIT:3449843613571411531"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "docker-compose-remote-api", "version": 0}]}, "epss": [{"cve": "CVE-2020-7606", "epss": 0.00639, "percentile": 0.76151, "modified": "2023-05-01"}], "vulnersScore": 9.1}, "_state": {"dependencies": 1701889479, "score": 1701884521, "affected_software_major_version": 0, "epss": 0}, "_internal": {"score_hash": "961dc6423c907728a0df23308d29a01f"}, "affectedSoftware": [{"version": "0.1.4", "operator": "le", "ecosystem": "NPM", "name": "docker-compose-remote-api"}]}
{"prion": [{"lastseen": "2023-11-22T01:46:29", "description": "docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-15T22:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7606"], "modified": "2021-07-21T11:39:00", "id": "PRION:CVE-2020-7606", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2020-7606", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2023-09-11T22:33:30", "description": "docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within `index.js` of the package, the function `exec(serviceName, cmd, fnStdout, fnStderr, fnExit)` uses the variable `serviceName` which can be controlled by users without any sanitization.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-07T16:14:39", "type": "osv", "title": "OS Command Injection in docker-compose-remote-api", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7606"], "modified": "2023-09-11T22:26:16", "id": "OSV:GHSA-Q6PJ-JH94-5FPR", "href": "https://osv.dev/vulnerability/GHSA-q6pj-jh94-5fpr", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-12-06T16:40:28", "description": "docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-15T22:15:00", "type": "cve", "title": "CVE-2020-7606", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7606"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/a:docker-compose-remote-api_project:docker-compose-remote-api:0.1.4"], "id": "CVE-2020-7606", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7606", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:docker-compose-remote-api_project:docker-compose-remote-api:0.1.4:*:*:*:*:node.js:*:*"]}], "veracode": [{"lastseen": "2023-04-18T11:52:54", "description": "docker-compose-remote-api is vulnerable to OS command injection. An attacker is able to inject and execute arbitrary OS commands via the `serviceName` parameter due to lack of validation before passing to the `exec` function.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-17T05:59:05", "type": "veracode", "title": "OS Command Injection", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7606"], "modified": "2020-10-12T12:34:24", "id": "VERACODE:22719", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-22719/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
OS Command Injection in docker-compose-remote-api
