Lucene search
K

4 matches found

CVE
CVE
added 2021/04/27 8:30 p.m.299 views

CVE-2021-29472

Composer suffers from a vulnerability where Mercurial URLs in root composer.json and package source URLs are not sanitized, allowing remote code execution via HgDriver if hg/Mercurial is installed. The impact is described as higher for services passing user input (e.g., Packagist.org, Private Pac...

8.8CVSS9AI score0.04849EPSS
CVE
CVE
added 2023/09/29 7:33 p.m.187 views

CVE-2023-43655

CVE-2023-43655 affects the PHP dependency manager Composer when a user publishes a web-accessible composer.phar that can be executed as PHP and PHP is configured with register_argc_argv enabled . Multiple connected advisories confirm the vulnerability exists in Composer and describe that versions...

8.8CVSS7.8AI score0.0139EPSS
CVE
CVE
added 2022/04/13 9:0 p.m.179 views

CVE-2022-24828

The CVE-2022-24828 entry concerns Composer’s VcsDriver::getFileContent accepting user-controlled $file or $identifier. The root cause is input that can lead to parameter/command injection when interacting with Mercurial or Git drivers, impacting integrations like Packagist.org where readme conten...

8.8CVSS8.7AI score0.01857EPSS
CVE
CVE
added 2021/10/05 5:40 p.m.137 views

CVE-2021-41116

CVE-2021-41116 affects the PHP package manager Composer . The vulnerability allows command injection on Windows when installing untrusted dependencies; other OSes and WSL are not affected. The issue has been fixed in Composer versions 1.10.23 and 2.1.9 ; there are no workarounds reported. This CV...

9.8CVSS9.2AI score0.02904EPSS