4 matches found
CVE-2021-29472
Composer suffers from a vulnerability where Mercurial URLs in root composer.json and package source URLs are not sanitized, allowing remote code execution via HgDriver if hg/Mercurial is installed. The impact is described as higher for services passing user input (e.g., Packagist.org, Private Pac...
CVE-2023-43655
CVE-2023-43655 affects the PHP dependency manager Composer when a user publishes a web-accessible composer.phar that can be executed as PHP and PHP is configured with register_argc_argv enabled . Multiple connected advisories confirm the vulnerability exists in Composer and describe that versions...
CVE-2022-24828
The CVE-2022-24828 entry concerns Composer’s VcsDriver::getFileContent accepting user-controlled $file or $identifier. The root cause is input that can lead to parameter/command injection when interacting with Mercurial or Git drivers, impacting integrations like Packagist.org where readme conten...
CVE-2021-41116
CVE-2021-41116 affects the PHP package manager Composer . The vulnerability allows command injection on Windows when installing untrusted dependencies; other OSes and WSL are not affected. The issue has been fixed in Composer versions 1.10.23 and 2.1.9 ; there are no workarounds reported. This CV...