GHSA-v9qv-c7wm-wgmf

Suggest an improvement
Source
https://github.com/advisories/GHSA-v9qv-c7wm-wgmf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-v9qv-c7wm-wgmf/GHSA-v9qv-c7wm-wgmf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v9qv-c7wm-wgmf
Aliases
Related
Published
2024-06-10T21:36:25Z
Modified
2024-07-15T21:59:52.801416Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Composer has multiple command injections via malicious git/hg branch names
Details

Impact

The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.

Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

Workarounds

Avoid cloning potentially compromised repositories.

Database specific
{
    "nvd_published_at": "2024-06-10T22:15:09Z",
    "cwe_ids": [
        "CWE-77"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-10T21:36:25Z"
}
References

Affected packages

Packagist / composer/composer

Package

Name
composer/composer
Purl
pkg:composer/composer/composer

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0
Fixed
2.2.24

Affected versions

2.*

2.0.0-alpha1
2.0.0-alpha2
2.0.0-alpha3
2.0.0-RC1
2.0.0-RC2
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.1.0-RC1
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.14
2.2.0-RC1
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19
2.2.20
2.2.21
2.2.22
2.2.23

Packagist / composer/composer

Package

Name
composer/composer
Purl
pkg:composer/composer/composer

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3
Fixed
2.7.7

Affected versions

2.*

2.3.0-RC1
2.3.0-RC2
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.3.10
2.4.0-RC1
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.5.7
2.5.8
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6