GHSA-frqg-7g38-6gcf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-frqg-7g38-6gcf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-frqg-7g38-6gcf/GHSA-frqg-7g38-6gcf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-frqg-7g38-6gcf
- Aliases
- Related
- Published
- 2021-10-05T20:23:18Z
- Modified
- 2024-02-16T08:08:08.814539Z
- Severity
-
- 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N CVSS Calculator
- Summary
- Improper escaping of command arguments on Windows leading to command injection
- Details
-
Impact
Windows users running Composer to install untrusted dependencies are affected and should definitely upgrade for safety. Other OSs and WSL are not affected.
Patches
1.10.23 and 2.1.9 fix the issue
Workarounds
None
- Database specific
{ "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-77" ], "nvd_published_at": "2021-10-05T18:15:00Z", "github_reviewed_at": "2021-10-05T18:44:04Z" }- References
-
- https://github.com/composer/composer/security/advisories/GHSA-frqg-7g38-6gcf
- https://nvd.nist.gov/vuln/detail/CVE-2021-41116
- https://github.com/composer/composer/commit/ca5e2f8d505fd3bfac6f7c85b82f2740becbc0aa
- https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2021-41116.yaml
- https://github.com/composer/composer
- https://www.sonarsource.com/blog/securing-developer-tools-package-managers
- https://www.tenable.com/security/tns-2022-09
Affected packages
Packagist / composer/composer
Package
- Name
- composer/composer
- Purl
- pkg:composer/composer/composer
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.10.23
Affected versions
1.*
1.0.0-alpha1
1.0.0-alpha2
1.0.0-alpha3
1.0.0-alpha4
1.0.0-alpha5
1.0.0-alpha6
1.0.0-alpha7
1.0.0-alpha8
1.0.0-alpha9
1.0.0-alpha10
1.0.0-alpha11
1.0.0-beta1
1.0.0-beta2
1.0.0
1.0.1
1.0.2
1.0.3
1.1.0-RC
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0-RC
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0-RC
1.3.0
1.3.1
1.3.2
1.3.3
1.4.0
1.4.1
1.4.2
1.4.3
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.6.0-RC
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.7.0-RC
1.7.0
1.7.1
1.7.2
1.7.3
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.9.0
1.9.1
1.9.2
1.9.3
1.10.0-RC
1.10.0
1.10.1
1.10.2
1.10.3
1.10.4
1.10.5
1.10.6
1.10.7
1.10.8
1.10.9
1.10.10
1.10.11
1.10.12
1.10.13
1.10.14
1.10.15
1.10.16
1.10.17
1.10.18
1.10.19
1.10.20
1.10.21
1.10.22
Packagist / composer/composer
Package
- Name
- composer/composer
- Purl
- pkg:composer/composer/composer