Описание
Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has register_argc_argv enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | ignored | end of standard support |
| devel | not-affected | 2.8.8-1 |
| esm-apps/bionic | released | 1.6.3-1ubuntu0.1~esm2 |
| esm-apps/focal | released | 1.10.1-1ubuntu0.1~esm2 |
| esm-apps/jammy | released | 2.2.6-2ubuntu4+esm1 |
| esm-apps/noble | not-affected | 2.7.1-2 |
| esm-apps/xenial | released | 1.0.0~beta2-1ubuntu0.1~esm2 |
| focal | ignored | end of standard support, was needs-triage |
| jammy | needed | |
| lunar | ignored | end of life, was needs-triage |
Показывать по
Ссылки на источники
EPSS
6.4 Medium
CVSS3
Связанные уязвимости
Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.
Composer is a dependency manager for PHP. Users publishing a composer. ...
Composer Remote Code Execution vulnerability via web-accessible composer.phar
Уязвимость файла composer.phar менеджера зависимостей для PHP Composer, позволяющая нарушителю выполнить произвольные команды
EPSS
6.4 Medium
CVSS3