Lucene search

[email protected]CVE-2023-43655

HistorySep 29, 2023 - 8:15 p.m.

CVE-2023-43655

2023-09-2920:15:09

CWE-74

[email protected]

web.nvd.nist.gov

composer

php

dependency manager

cve

security

vulnerability

rce

remote code execution

nvd

patch

upgrade

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.0%

JSON

Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has register_argc_argv enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.

Affected configurations

Vulners

NVD

Node

composercomposerRange2.0–2.2.22

composercomposerRange<1.10.27

CPENameOperatorVersion
getcomposer:composergetcomposer composerlt1.10.27
getcomposer:composergetcomposer composerlt2.2.21
getcomposer:composergetcomposer composerlt2.6.4

CPE	Name	Operator	Version
getcomposer:composer	getcomposer composer	lt	1.10.27
getcomposer:composer	getcomposer composer	lt	2.2.21
getcomposer:composer	getcomposer composer	lt	2.6.4

CNA Affected

[
  {
    "vendor": "composer",
    "product": "composer",
    "versions": [
      {
        "version": "2.6.4, 2.2.21, 1.10.27",
        "status": "affected"
      },
      {
        "version": ">= 2.0, < 2.2.22",
        "status": "affected"
      },
      {
        "version": "< 1.10.27",
        "status": "affected"
      }
    ]
  }
]