CVE-2024-35241

EPSS 0.48%
Published 10.06.2024 22:15:09
Last modified 21.04.2025 16:15:54
Source security-advisories@github.com
Teams watchlist Login
Open Login

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.

Affected products Warnungen 0 Metrics 2 CWE 1 References 10

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Vendorfedoraproject

≫

Product fedora

Default Statusunknown

Version 39

Status affected

Version 40

Status affected

Vendorgetcomposer

≫

Product composer

Default Statusunknown

Version < 2.2.24

Version 2.0

Status affected

Vendorgetcomposer

≫

Product composer

Default Statusunknown

Version < 2.7.7

Version 2.3

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.48%	0.638

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4

https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704

https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/

https://www.vicarius.io/vsociety/posts/cve-2024-35241-detect-composer-vulnerability

https://www.vicarius.io/vsociety/posts/cve-2024-35241-mitigate-vulnerable-composer

https://nvd.nist.gov/vuln/detail/CVE-2024-35241

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-35241

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-35241

EUVD