BIT-composer-2024-35242

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/composer/BIT-composer-2024-35242.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-composer-2024-35242

Aliases

Published

2024-06-12T07:16:23.898Z

Modified

2024-07-18T07:56:34.499Z

Summary

[none]

Details

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.

Database specific

{
    "cpes": [
        "cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:getcomposer:composer:*:*:*:*:*:php:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / composer

Package

Name: composer
Purl: pkg:bitnami/composer

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

2.0.0

Fixed

2.2.24

Introduced

2.3.0

Fixed

2.7.7