GHSA-frqg-7g38-6gcf

Source

https://github.com/advisories/GHSA-frqg-7g38-6gcf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-frqg-7g38-6gcf/GHSA-frqg-7g38-6gcf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-frqg-7g38-6gcf

Aliases

Published

2021-10-05T20:23:18Z

Modified

2024-02-16T08:08:08.814539Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N CVSS Calculator

Summary

Improper escaping of command arguments on Windows leading to command injection

Details

Impact

Windows users running Composer to install untrusted dependencies are affected and should definitely upgrade for safety. Other OSs and WSL are not affected.

Patches

1.10.23 and 2.1.9 fix the issue

Workarounds

None

Database specific

{
    "nvd_published_at": "2021-10-05T18:15:00Z",
    "cwe_ids": [
        "CWE-77"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-05T18:44:04Z"
}

References

Affected packages

Packagist / composer/composer

Package

Name: composer/composer
Purl: pkg:composer/composer/composer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.10.23

Affected versions

1.*

1.0.0-alpha1

1.0.0-alpha2

1.0.0-alpha3

1.0.0-alpha4

1.0.0-alpha5

1.0.0-alpha6

1.0.0-alpha7

1.0.0-alpha8

1.0.0-alpha9

1.0.0-alpha10

1.0.0-alpha11

1.0.0-beta1

1.0.0-beta2

1.0.0

1.0.1

1.0.2

1.0.3

1.1.0-RC

1.1.0

1.1.1

1.1.2

1.1.3

1.2.0-RC

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.3.0-RC

1.3.0

1.3.1

1.3.2

1.3.3

1.4.0

1.4.1

1.4.2

1.4.3

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.6.0-RC

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.7.0-RC

1.7.0

1.7.1

1.7.2

1.7.3

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.8.6

1.9.0

1.9.1

1.9.2

1.9.3

1.10.0-RC

1.10.0

1.10.1

1.10.2

1.10.3

1.10.4

1.10.5

1.10.6

1.10.7

1.10.8

1.10.9

1.10.10

1.10.11

1.10.12

1.10.13

1.10.14

1.10.15

1.10.16

1.10.17

1.10.18

1.10.19

1.10.20

1.10.21

1.10.22

Packagist / composer/composer

Package

Name: composer/composer
Purl: pkg:composer/composer/composer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0-alpha1

Fixed

2.1.9

Affected versions

2.*

2.0.0-alpha1

2.0.0-alpha2

2.0.0-alpha3

2.0.0-RC1

2.0.0-RC2

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.1.0-RC1

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8