Vulnerability CVE-2020-7606
Published: 2020-03-15   Modified: 2020-03-16

Description:
docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.

Type:

CWE-74

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Docker-compose-remote-api project -> Docker-compose-remote-api 

 References:
https://snyk.io/vuln/SNYK-JS-DOCKERCOMPOSEREMOTEAPI-560125
Copyright 2024, cxsecurity.com

 

Back to Top