GHSA-v9qv-c7wm-wgmf

Опубликовано: 10 июн. 2024

Источник: github

Github: Прошло ревью

CVSS3: 8.8

Описание

Composer has multiple command injections via malicious git/hg branch names

Impact

The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.

Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

Workarounds

Avoid cloning potentially compromised repositories.

Ссылки

Пакеты

Наименование

composer/composer

composer

Затронутые версииВерсия исправления

>= 2.0, < 2.2.24

2.2.24

Наименование

composer/composer

composer

Затронутые версииВерсия исправления

>= 2.3, < 2.7.7

2.7.7

EPSS

Процентиль: 90%

0.05494

Низкий

8.8 High

CVSS3

CVE ID

CVE-2024-35242

Дефекты

CWE-77

Связанные уязвимости

CVE-2024-35242

CVSS3: 8.8

ubuntu

около 1 года назад

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.