Количество 8
Количество 8
CVE-2022-24828
Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.
CVE-2022-24828
Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.
CVE-2022-24828
Composer is a dependency manager for the PHP programming language. Int ...
SUSE-SU-2022:3020-1
Security update for php-composer2
GHSA-x7cr-6qr6-2hh6
Missing input validation can lead to command execution in composer
BDU:2022-02944
Уязвимость реализации метода VcsDriver::getFileContent() менеджера зависимостей для PHP Composer, позволяющая нарушителю выполнить произвольные команды
openSUSE-SU-2022:0132-1
Security update for php-composer
ROS-20240626-10
Множественные уязвимости composer
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
 | CVE-2022-24828 Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report. | CVSS3: 8.3 | 1% Низкий | около 3 лет назад |
 | CVE-2022-24828 Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report. | CVSS3: 8.3 | 1% Низкий | около 3 лет назад |
| CVE-2022-24828 Composer is a dependency manager for the PHP programming language. Int ... | CVSS3: 8.3 | 1% Низкий | около 3 лет назад |
 | SUSE-SU-2022:3020-1 Security update for php-composer2 | 1% Низкий | почти 3 года назад | |
| GHSA-x7cr-6qr6-2hh6 Missing input validation can lead to command execution in composer | CVSS3: 8.3 | 1% Низкий | около 3 лет назад |
 | BDU:2022-02944 Уязвимость реализации метода VcsDriver::getFileContent() менеджера зависимостей для PHP Composer, позволяющая нарушителю выполнить произвольные команды | CVSS3: 8.3 | 1% Низкий | около 3 лет назад |
| openSUSE-SU-2022:0132-1 Security update for php-composer | около 3 лет назад | ||
 | ROS-20240626-10 Множественные уязвимости composer | CVSS3: 8.8 | около 1 года назад |
Уязвимостей на страницу