CVE-2024-35241

EPSS 0.43%
Veröffentlicht 10.06.2024 22:15:09
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Composer vulnerable to command injection via malicious git branch name

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

CNA 3 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellerfedoraproject

≫

Produkt fedora

Default Statusunknown

Version 39

Status affected

Version 40

Status affected

Herstellergetcomposer

≫

Produkt composer

Default Statusunknown

Version 2.0

Version < 2.2.24

Status affected

Herstellergetcomposer

≫

Produkt composer

Default Statusunknown

Version 2.3

Version < 2.7.7

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.43%	0.624

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4

https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704

https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/

https://www.vicarius.io/vsociety/posts/cve-2024-35241-detect-composer-vulnerability

https://www.vicarius.io/vsociety/posts/cve-2024-35241-mitigate-vulnerable-composer

https://nvd.nist.gov/vuln/detail/CVE-2024-35241

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-35241

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-35241

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-35241