Command Injection Vulnerability in Composer Affects PHP Projects
CVE-2024-35242

8.8HIGH

Key Information:

Vendor

Composer

Status
Composer
Vendor
CVE Published:
10 June 2024

Badges

👾 Exploit Exists🟣 EPSS 23%📰 News Worthy

What is CVE-2024-35242?

A security vulnerability has been identified in the Composer dependency manager for PHP, impacting versions 2.2.x before 2.2.24 and 2.7.x before 2.7.7. This vulnerability arises when the composer install command is executed within a version control repository (git/hg) containing specially crafted branch names. If an untrusted repository is cloned, this could lead to command injection, exposing systems to potential security breaches. Users are advised to apply the available patches or avoid cloning potentially untrustworthy repositories to mitigate the risks associated with this vulnerability.

Affected Version(s)

composer >= 2.0, < 2.2.24 < 2.0, 2.2.24

composer >= 2.3, < 2.7.7 < 2.3, 2.7.7

News Articles

favicon imageSentiguard

PHP: Command Injection Sicherheitslücken in composer entdeckt

Composer, das weit verbreitete PHP-Dependency-Management-Tool, ist von zwei schwerwiegenden Sicherheitslücken betroffen, die die Ausführung von Schadcode…

References

https://github.com/composer/composer/security/advisories/...
x_refsource_CONFIRM
https://github.com/composer/composer/commit/6bd43dff859c5...
x_refsource_MISC
https://github.com/composer/composer/commit/fc57b93603d7d...
x_refsource_MISC

EPSS Score

23% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by Sentiguard

  • Vulnerability published

.