After reviewing this CVE, and this response from the maintainer, we have withdrawn this advisory.
This affects all versions of package docker-cli-js. If the command parameter of the Docker.command method can at least be partially controlled by a user, they will be in a position to execute any arbitrary OS commands on the host system.
| Score | Percentile |
|---|---|
| 0.84% | 74.52% |
No CVSS scores in this advisory.
| Type | Value |
|---|---|
| GHSA | GHSA-ff45-7prw-58vj ↗ |
| CVE | CVE-2021-23732 ↗ |
| CWE id | Name |
|---|---|
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | docker-cli-js | <= 2.8.0 | — | — |