GHSA-v9qv-c7wm-wgmf

Source

https://github.com/advisories/GHSA-v9qv-c7wm-wgmf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-v9qv-c7wm-wgmf/GHSA-v9qv-c7wm-wgmf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v9qv-c7wm-wgmf

Aliases

Related

CGA-cf8c-xqvc-jhcx

Published

2024-06-10T21:36:25Z

Modified

2024-07-15T21:59:52.801416Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Composer has multiple command injections via malicious git/hg branch names

Details

Impact

The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.

Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

Workarounds

Avoid cloning potentially compromised repositories.

Database specific

{
    "nvd_published_at": "2024-06-10T22:15:09Z",
    "cwe_ids": [
        "CWE-77"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-10T21:36:25Z"
}

References

Affected packages

Packagist / composer/composer

Package

Name: composer/composer
Purl: pkg:composer/composer/composer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0

Fixed

2.2.24

Affected versions

2.*

2.0.0-alpha1

2.0.0-alpha2

2.0.0-alpha3

2.0.0-RC1

2.0.0-RC2

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.1.0-RC1

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.1.11

2.1.12

2.1.14

2.2.0-RC1

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.2.16

2.2.17

2.2.18

2.2.19

2.2.20

2.2.21

2.2.22

2.2.23

Packagist / composer/composer

Package

Name: composer/composer
Purl: pkg:composer/composer/composer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3

Fixed

2.7.7

Affected versions

2.*

2.3.0-RC1

2.3.0-RC2

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.3.10

2.4.0-RC1

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.7

2.5.8

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.7.6