Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2023-43655

Опубликовано: 29 сент. 2023
Источник: debian
EPSS Низкий

Описание

Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
composerfixed2.6.4-1package
composerpostponedbookwormpackage
composerno-dsabullseyepackage

Примечания

  • https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf

  • https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d (1.10.27)

  • https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c (2.2.22)

  • https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c (2.6.4)

EPSS

Процентиль: 86%
0.02866
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2023-43655

CVSS3: 6.4
ubuntu
больше 1 года назад

Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.

nvd логотип

CVE-2023-43655

CVSS3: 6.4
nvd
больше 1 года назад

Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.

suse-cvrf логотип

SUSE-SU-2023:4041-1

suse-cvrf
больше 1 года назад

Security update for php-composer2

github логотип

GHSA-jm6m-4632-36hf

CVSS3: 8.8
github
больше 1 года назад

Composer Remote Code Execution vulnerability via web-accessible composer.phar

fstec логотип

BDU:2024-04879

CVSS3: 8.8
fstec
больше 1 года назад

Уязвимость файла composer.phar менеджера зависимостей для PHP Composer, позволяющая нарушителю выполнить произвольные команды

EPSS

Процентиль: 86%
0.02866
Низкий