CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

14 matches found

OSV•added 2024/03/06 10:51 a.m.•41 views

BIT-COMPOSER-2021-29472 Missing argument delimiter can lead to code execution via VCS repository URLs or source download URLs on systems with Mercurial in composer

Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system. The impact to...

8.8CVSS8.9AI score0.0481EPSS

Exploits1References8

OSV•added 2022/04/22 8:15 p.m.•37 views

GHSA-X7CR-6QR6-2HH6 Missing input validation can lead to command execution in composer

The Composer method VcsDriver::getFileContent with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used. This led to a vulnerability on Packagist.or...

8.3CVSS8.9AI score0.0178EPSS

Exploits0References9

Github Security Blog•added 2022/04/22 8:15 p.m.•39 views

Missing input validation can lead to command execution in composer

8.8CVSS4.9AI score0.0178EPSS

Exploits0References9Affected Software1

NVD•added 2022/04/13 9:15 p.m.•23 views

CVE-2022-24828

Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call VcsDriver::getFileContent can have a code injection vulnerability if the user can control the $file or $identifier argument. This leads to a vulnerability on packagist.org for example where...

8.8CVSS0.0178EPSS

Exploits0References6

CVE•added 2022/04/13 9:0 p.m.•176 views

CVE-2022-24828

The CVE-2022-24828 entry concerns Composer’s VcsDriver::getFileContent accepting user-controlled $file or $identifier. The root cause is input that can lead to parameter/command injection when interacting with Mercurial or Git drivers, impacting integrations like Packagist.org where readme conten...

8.8CVSS8.7AI score0.0178EPSS

Exploits0References6Affected Software1

Github Security Blog•added 2021/04/29 9:52 p.m.•57 views

Composer's missing argument delimiter can lead to code execution via VCS repository URLs or source download URLs on systems with Mercurial

URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow commands to be executed in the HgDriver if hg/Mercurial is installed on the system. Impact - The impact to Composer users directly is limit...

8.8CVSS2.4AI score0.0481EPSS

Exploits1References10Affected Software1

OSV•added 2021/04/29 9:52 p.m.•22 views

GHSA-H5H8-PC6H-JVVX Composer's missing argument delimiter can lead to code execution via VCS repository URLs or source download URLs on systems with Mercurial

8.8CVSS9AI score0.0481EPSS

Exploits1References10

NVD•added 2021/04/27 9:15 p.m.•16 views

CVE-2021-29472

8.8CVSS0.0481EPSS

Exploits1References7

OSV•added 2021/04/27 9:15 p.m.•25 views

CVE-2021-29472

8.8CVSS9AI score

Exploits0References7

UbuntuCve•added 2021/04/27 9:15 p.m.•40 views

CVE-2021-29472

8.8CVSS7.3AI score0.0481EPSS

Exploits1References5

Prion•added 2021/04/27 9:15 p.m.•29 views

Remote code execution

6.5CVSS8.9AI score0.0481EPSS

Exploits1References7Affected Software3

Cvelist•added 2021/04/27 8:30 p.m.•21 views

CVE-2021-29472 Missing argument delimiter can lead to code execution via VCS repository URLs or source download URLs on systems with Mercurial in composer

8.8CVSS9.1AI score0.0481EPSS

Exploits1References7