Описание
Security update for php-composer2
This update for php-composer2 fixes the following issues:
- CVE-2022-24828: Fixed a code injection issue that affected integrators using specific APIs to read untrusted input files (bsc#1198494).
Список пакетов
Container bci/php-apache:8
Container bci/php-apache:latest
Container bci/php-fpm:8
Container bci/php-fpm:latest
Container bci/php:8
Container bci/php:latest
SUSE Linux Enterprise Module for Web and Scripting 15 SP4
openSUSE Leap 15.4
Ссылки
- Link for SUSE-SU-2022:3020-1
- E-Mail link for SUSE-SU-2022:3020-1
- SUSE Security Ratings
- SUSE Bug 1198494
- SUSE CVE CVE-2022-24828 page
Описание
Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.
Затронутые продукты
Ссылки
- CVE-2022-24828
- SUSE Bug 1198494