GHSA-47f6-5gq3-vx9c

Source

https://github.com/advisories/GHSA-47f6-5gq3-vx9c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-47f6-5gq3-vx9c/GHSA-47f6-5gq3-vx9c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-47f6-5gq3-vx9c

Aliases

Related

CGA-g75w-3gxm-gj8g

Published

2024-06-10T21:36:32Z

Modified

2024-07-15T22:12:04.160457Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Composer has a command injection via malicious git branch name

Details

Impact

The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

Workarounds

Avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.

Database specific

{
    "nvd_published_at": "2024-06-10T22:15:09Z",
    "cwe_ids": [
        "CWE-77"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-10T21:36:32Z"
}

References

Affected packages

Packagist / composer/composer

Package

Name: composer/composer
Purl: pkg:composer/composer/composer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0

Fixed

2.2.24

Affected versions

2.*

2.0.0-alpha1

2.0.0-alpha2

2.0.0-alpha3

2.0.0-RC1

2.0.0-RC2

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.1.0-RC1

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.1.11

2.1.12

2.1.14

2.2.0-RC1

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.2.16

2.2.17

2.2.18

2.2.19

2.2.20

2.2.21

2.2.22

2.2.23

Packagist / composer/composer

Package

Name: composer/composer
Purl: pkg:composer/composer/composer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3

Fixed

2.7.7

Affected versions

2.*

2.3.0-RC1

2.3.0-RC2

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.3.10

2.4.0-RC1

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.7

2.5.8

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.7.6