GHSA-47f6-5gq3-vx9c

Опубликовано: 10 июн. 2024

Источник: github

Github: Прошло ревью

CVSS3: 8.8

Описание

Composer has a command injection via malicious git branch name

Impact

The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

Workarounds

Avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.

Ссылки

Пакеты

Наименование

composer/composer

composer

Затронутые версииВерсия исправления

>= 2.0, < 2.2.24

2.2.24

Наименование

composer/composer

composer

Затронутые версииВерсия исправления

>= 2.3, < 2.7.7

2.7.7

EPSS

Процентиль: 39%

0.00173

Низкий

8.8 High

CVSS3

CVE ID

CVE-2024-35241

Дефекты

CWE-77

Связанные уязвимости

CVE-2024-35241

CVSS3: 8.8

ubuntu

около 1 года назад

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.