CVE-2022-24828

EPSS 0.22%
Veröffentlicht 13.04.2022 21:15:07
Zuletzt bearbeitet 21.11.2024 06:51:11
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Getcomposer ≫ Composer Version < 1.10.26

Getcomposer ≫ Composer Version >= 2.0.0 < 2.2.12

Getcomposer ≫ Composer Version >= 2.3.0 < 2.3.5

Tenable ≫ Tenable.Sc Version < 5.21.0

Fedoraproject ≫ Fedora Version34

Fedoraproject ≫ Fedora Version35

Fedoraproject ≫ Fedora Version36

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.448

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P
security-advisories@github.com	8.3	1.6	6	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

https://www.tenable.com/security/tns-2022-09

Patch

Third Party Advisory

https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709

Patch

Third Party Advisory

https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/625MT3IKWKFVIWLSYZFSXHVUA2LES7YQ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GWT6LDSRY7SFMTDZWJ4MS2ZBXHL7VQEF/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QD7JQWL6C4GVROO25DTXWYWM6BPOPPCG/

https://nvd.nist.gov/vuln/detail/CVE-2022-24828

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-24828

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-24828

EUVD