CVE-2022-24828

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-24828
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24828.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-24828
Aliases
Related
Published
2022-04-13T21:15:07Z
Modified
2024-09-18T03:17:35.124815Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call VcsDriver::getFileContent can have a code injection vulnerability if the user can control the $file or $identifier argument. This leads to a vulnerability on packagist.org for example where the composer.json's readme field can be used as a vector for injecting parameters into hg/Mercurial via the $file argument, or git via the $identifier argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call getFileContent with arbitrary data into $file/$identifier. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.

References

Affected packages

Debian:11 / composer

Package

Name
composer
Purl
pkg:deb/debian/composer?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.9-2+deb11u1

Affected versions

2.*

2.0.9-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / composer

Package

Name
composer
Purl
pkg:deb/debian/composer?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.12-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / composer

Package

Name
composer
Purl
pkg:deb/debian/composer?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.12-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Git / github.com/composer/composer

Affected ranges

Type
GIT
Repo
https://github.com/composer/composer
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2c40c53637c5c7e43fff7c09d3d324d632734709

Affected versions

1.*

1.0.0-alpha10
1.0.0-alpha9

2.*

2.1.14
2.2.0
2.2.0-RC1
2.2.1
2.2.10
2.2.11
2.2.2
2.2.3
2.2.4
2.2.6
2.2.7
2.2.8
2.2.9