Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00N2Y2LTVncTMtdng5Y84AA85F
Composer has a command injection via malicious git branch name
Impact
The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.
Patches
2.2.24 for 2.2 LTS or 2.7.7 for mainline
Workarounds
Avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00N2Y2LTVncTMtdng5Y84AA85F
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 5 months ago
Updated: 5 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-47f6-5gq3-vx9c, CVE-2024-35241
References:
- https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c
- https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4
- https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704
- https://nvd.nist.gov/vuln/detail/CVE-2024-35241
- https://lists.fedoraproject.org/archives/list/[email protected]/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC
- https://lists.fedoraproject.org/archives/list/[email protected]/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC
- https://github.com/advisories/GHSA-47f6-5gq3-vx9c
Blast Radius: 40.0
Affected Packages
packagist:composer/composer
Dependent packages: 2,610Dependent repositories: 35,414
Downloads: 146,328,209 total
Affected Version Ranges: >= 2.3, < 2.7.7, >= 2.0, < 2.2.24
Fixed in: 2.7.7, 2.2.24
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.14, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.2.17, 2.2.18, 2.2.19, 2.2.20, 2.2.21, 2.2.22, 2.2.23, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.10.9, 1.10.10, 1.10.11, 1.10.12, 1.10.13, 1.10.14, 1.10.15, 1.10.16, 1.10.17, 1.10.18, 1.10.19, 1.10.20, 1.10.21, 1.10.22, 1.10.23, 1.10.24, 1.10.25, 1.10.26, 1.10.27, 2.2.24, 2.7.7, 2.7.8, 2.7.9, 2.8.0, 2.8.1, 2.8.2, 2.8.3