Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2024-35242

Опубликовано: 10 июн. 2024
Источник: debian
EPSS Низкий

Описание

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
composerfixed2.7.7-1package

Примечания

  • https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf

  • https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467 (2.2.24)

  • https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396 (2.7.7)

EPSS

Процентиль: 90%
0.05494
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2024-35242

CVSS3: 8.8
ubuntu
около 1 года назад

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.

nvd логотип

CVE-2024-35242

CVSS3: 8.8
nvd
около 1 года назад

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.

github логотип

GHSA-v9qv-c7wm-wgmf

CVSS3: 8.8
github
около 1 года назад

Composer has multiple command injections via malicious git/hg branch names

fstec логотип

BDU:2024-04880

CVSS3: 8.8
fstec
около 1 года назад

Уязвимость компонента Branch Name Handler менеджера зависимостей для PHP Composer, позволяющая нарушителю выполнить произвольные команды

suse-cvrf логотип

SUSE-SU-2024:2107-1

suse-cvrf
около 1 года назад

Security update for php-composer2

EPSS

Процентиль: 90%
0.05494
Низкий