CVE-2024-35241

EPSS 0.43%
Veröffentlicht 10.06.2024 22:15:09
Zuletzt bearbeitet 21.04.2025 16:15:54
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellerfedoraproject

≫

Produkt fedora

Default Statusunknown

Version 39

Status affected

Version 40

Status affected

Herstellergetcomposer

≫

Produkt composer

Default Statusunknown

Version < 2.2.24

Version 2.0

Status affected

Herstellergetcomposer

≫

Produkt composer

Default Statusunknown

Version < 2.7.7

Version 2.3

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.43%	0.618

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4

https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704

https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/

https://www.vicarius.io/vsociety/posts/cve-2024-35241-detect-composer-vulnerability

https://www.vicarius.io/vsociety/posts/cve-2024-35241-mitigate-vulnerable-composer

https://nvd.nist.gov/vuln/detail/CVE-2024-35241

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-35241

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-35241

EUVD