CVEs-PoC/2020/CVE-2020-7606.md

### [CVE-2020-7606](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7606)
![](https://img.shields.io/static/v1?label=Product&message=docker-compose-remote-api&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Command%20Injection&color=brighgreen)

### Description

docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.

### POC

#### Reference
- https://snyk.io/vuln/SNYK-JS-DOCKERCOMPOSEREMOTEAPI-560125

#### Github
No PoCs found on GitHub currently.