Command injection in composer on Windows
CVE-2021-41116

8.2HIGH

Key Information:

Vendor: Composer
Status: Composer
Vendor: CVE Published:; 5 October 2021

🔔 Create Composer Vulnerability Alert

What is CVE-2021-41116?

Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has been resolved in composer versions 1.10.23 and 2.1.9. There are no workarounds for this issue.

Affected Version(s)

composer < 1.10.23 < 1.10.23

composer >= 2.0, < 2.1.9 < 2.0, 2.1.9

References

https://github.com/composer/composer/security/advisories/...

x_refsource_CONFIRM

https://github.com/composer/composer/commit/ca5e2f8d505fd...

x_refsource_MISC

https://www.sonarsource.com/blog/securing-developer-tools...

x_refsource_MISC

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 5, 2021
Vulnerability Reserved
Sep 15, 2021

CVE-2021-41116 Data

.