CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
9.0%
Composer is a dependency Manager for the PHP language. In affected versions
several files within the local working directory are included during the
invocation of Composer and in the context of the executing user. As such,
under certain conditions arbitrary code execution may lead to local
privilege escalation, provide lateral user movement or malicious code
execution when Composer is invoked within a directory with tampered files.
All Composer CLI commands are affected, including composer.phar’s
self-update. The following scenarios are of high risk: Composer being run
with sudo, Pipelines which may execute Composer on untrusted projects,
Shared environments with developers who run Composer individually on the
same project. This vulnerability has been addressed in versions 2.7.0 and
2.2.23. It is advised that the patched versions are applied at the earliest
convenience. Where not possible, the following should be addressed: Remove
all sudo composer privileges for all users to mitigate root privilege
escalation, and avoid running Composer within an untrusted directory, or if
needed, verify that the contents of vendor/composer/InstalledVersions.php
and vendor/composer/installed.php
do not include untrusted code. A reset
can also be done on these files by the following:sh rm vendor/composer/installed.php vendor/composer/InstalledVersions.php composer install --no-scripts --no-plugins
github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5
github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h
launchpad.net/bugs/cve/CVE-2024-24821
nvd.nist.gov/vuln/detail/CVE-2024-24821
security-tracker.debian.org/tracker/CVE-2024-24821
www.cve.org/CVERecord?id=CVE-2024-24821