Command Injection

2024-06-1207:14:42

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

composer vulnerability

command injection

git repositories

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.6 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

composer/composer is vulnerable to Command Injection. This vulnerability is due to specially crafted branch names in git/hg repositories, when executing the composer install command, which allows an attacker to execute arbitrary commands.

CPENameOperatorVersion
composer/composerle2.7.6
composer/composerle2.2.23
composer:sideq2.0.9-1
composer:sideq2.0.9-2
composer:sideq1.10.13-1
composer:3.19eq2.6.5-r0
composer:3.19eq2.7.1-r0
composer:3.19eq2.7.4-r0
composer:3.19eq2.7.6-r0
composer:edgeeq1.10.6-r0

Name	Operator	Version
composer/composer	le	2.7.6
composer/composer	le	2.2.23
composer:sid	eq	2.0.9-1
composer:sid	eq	2.0.9-2
composer:sid	eq	1.10.13-1
composer:3.19	eq	2.6.5-r0
composer:3.19	eq	2.7.1-r0
composer:3.19	eq	2.7.4-r0
composer:3.19	eq	2.7.6-r0
composer:edge	eq	1.10.6-r0