Specially crafted branch names in Git repositories can execute code
CVE-2024-35241

8.8HIGH

Key Information:

Vendor

Composer

Status
Composer
Vendor
CVE Published:
10 June 2024

Badges

📰 News Worthy

What is CVE-2024-35241?

The vulnerability CVE-2024-35241 affects the Composer, a widely used PHP dependency manager, and allows the execution of malicious code with specially crafted Git repository branch names. It impacts versions prior to 2.2.24 for 2.2 LTS or 2.7.7 for mainline. There is no known exploitation by ransomware groups. Patches are available and users are recommended to update to the latest versions to mitigate these vulnerabilities. Additionally, users are advised to avoid installing dependencies via git and to carefully review the sources of software packages to ensure system integrity.

Affected Version(s)

composer >= 2.0, < 2.2.24 < 2.0, 2.2.24

composer >= 2.3, < 2.7.7 < 2.3, 2.7.7

News Articles

favicon imageSentiguard

PHP: Command Injection Sicherheitslücken in composer entdeckt

Composer, das weit verbreitete PHP-Dependency-Management-Tool, ist von zwei schwerwiegenden Sicherheitslücken betroffen, die die Ausführung von Schadcode…

References

https://github.com/composer/composer/security/advisories/...
x_refsource_CONFIRM
https://github.com/composer/composer/commit/b93fc6ca437da...
x_refsource_MISC
https://github.com/composer/composer/commit/ee28354ca8d33...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 📰

    First article discovered by Sentiguard

  • Vulnerability published

.