docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within index.js
of the package, the function exec(serviceName, cmd, fnStdout, fnStderr, fnExit)
uses the variable serviceName
which can be controlled by users without any sanitization.
CPE | Name | Operator | Version |
---|---|---|---|
docker-compose-remote-api | le | 0.1.4 |