CVE-2023-43655 Remote Code Execution via web-accessible composer.phar

2023-09-2919:33:32

CWE-74

GitHub_M

github.com

cve-2023-43655

composer

php

remote code execution

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has register_argc_argv enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:docker:composer:-:*:*:*:*:*:*:*"
    ],
    "vendor": "docker",
    "product": "composer",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "2.6.4"
      }
    ],
    "defaultStatus": "unknown"
  }
]