Описание
Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.
A flaw was found in Composer, a dependency manager for PHP. A remote attacker could exploit this by injecting ANSI control characters into the terminal output of various Composer commands when Composer downloads from attacker-controlled remote sources. This can lead to mangled output, causing confusion or a Denial of Service (DoS) of the terminal application.
Отчет
This vulnerability is rated Low as it primarily affects the terminal output of Composer commands. Exploitation requires an attacker to control remote sources from which Composer downloads, allowing the injection of ANSI control characters. This can lead to mangled output or a denial of service of the terminal application, but not the underlying system.
Ссылки на источники
Дополнительная информация
Статус:
EPSS
3.5 Low
CVSS3
Связанные уязвимости
Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.
Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.
Composer is a dependency manager for PHP. In versions on the 2.x branc ...
EPSS
3.5 Low
CVSS3