CVE-2020-7606

CRITICAL

docker-compose-remote-api <= 0.1.4 - OS Command Injection via Service Name Parameter

Title source: llm
STIX 2.1

Description

docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-DOCKERCOMPOSEREMOTEAPI-560125

Scores

CVSS v3 9.8
EPSS 0.0264
EPSS Percentile 83.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (2)
docker-compose-remote-api_project/docker-compose-remote-api < 0.1.4
npm/docker-compose-remote-api 0npm
Published Mar 15, 2020
Tracked Since Feb 18, 2026