Composer has a command injection via malicious git branch name

2024-06-1021:36:32

Google

osv.dev

composer

command injection

git

branch names

code execution

patches

2.2 lts

2.7.7

workarounds

dependencies

prefer-dist

preferred-install

software

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.3 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.6%

JSON

Impact

The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

Workarounds

Avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.

CPENameOperatorVersion
composer/composereq2.3.0-RC2
composer/composereq2.1.12
composer/composereq2.2.14
composer/composereq2.0.2
composer/composereq2.6.0
composer/composereq2.1.8
composer/composereq2.0.6
composer/composereq2.2.13
composer/composereq2.1.0-RC1
composer/composereq2.1.4

Name	Operator	Version
composer/composer	eq	2.3.0-RC2
composer/composer	eq	2.1.12
composer/composer	eq	2.2.14
composer/composer	eq	2.0.2
composer/composer	eq	2.6.0
composer/composer	eq	2.1.8
composer/composer	eq	2.0.6
composer/composer	eq	2.2.13
composer/composer	eq	2.1.0-RC1
composer/composer	eq	2.1.4