CVE-2020-7606

Name of the Vulnerable Software and Affected Versions docker-compose-remote-api versions 0.1.4 and earlier

Description The issue allows execution of arbitrary commands due to insufficient argument validation. Within 'index.js' of the package, the function exec(serviceName, cmd, fnStdout, fnStderr, fnExit) uses the variable serviceName which can be controlled by users without any sanitization. This can enable a remote attacker to execute arbitrary commands in the target system.

Recommendations For docker-compose-remote-api versions 0.1.4 and earlier, as a temporary workaround, consider disabling the exec(serviceName, cmd, fnStdout, fnStderr, fnExit) function until a patch is available. Restrict access to the index.js file to minimize the risk of exploitation. Avoid using the variable serviceName in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.