Vulnerable Library - composer/composer-2.4.1

Composer helps you declare, manage and install dependencies of PHP projects. It ensures you have the right stack everywhere.

Library home page: https://api.github.com/repos/composer/composer/zipball/777d542e3af65f8e7a66a4d98ce7a697da339414

Dependency Hierarchy:

• magento/magento-composer-installer-0.3.0 (Root Library)
  • ❌ composer/composer-2.4.1 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.

Publish Date: 2024-06-10

URL: CVE-2024-35241

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-35241

Release Date: 2024-06-10

Fix Resolution: composer/composer-2.2.24,2.7.7

Vulnerable Library - composer/composer-2.4.1

Composer helps you declare, manage and install dependencies of PHP projects. It ensures you have the right stack everywhere.

Library home page: https://api.github.com/repos/composer/composer/zipball/777d542e3af65f8e7a66a4d98ce7a697da339414

Dependency Hierarchy:

• magento/magento-composer-installer-0.3.0 (Root Library)
  • ❌ composer/composer-2.4.1 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has register_argc_argv enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.

Publish Date: 2023-09-29

URL: CVE-2023-43655

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jm6m-4632-36hf

Release Date: 2023-09-29

Fix Resolution: composer/composer - 1.10.27,2.2.21,2.6.4

Vulnerable Library - composer/composer-2.4.1

Composer helps you declare, manage and install dependencies of PHP projects. It ensures you have the right stack everywhere.

Library home page: https://api.github.com/repos/composer/composer/zipball/777d542e3af65f8e7a66a4d98ce7a697da339414

Dependency Hierarchy:

• magento/magento-composer-installer-0.3.0 (Root Library)
  • ❌ composer/composer-2.4.1 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar's self-update. The following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer on untrusted projects, Shared environments with developers who run Composer individually on the same project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and avoid running Composer within an untrusted directory, or if needed, verify that the contents of vendor/composer/InstalledVersions.php and vendor/composer/installed.php do not include untrusted code. A reset can also be done on these files by the following:```sh
rm vendor/composer/installed.php vendor/composer/InstalledVersions.php
composer install --no-scripts --no-plugins

<p>Publish Date: 2024-02-09
<p>URL: <a href=https://www.mend.io/vulnerability-database/CVE-2024-24821>CVE-2024-24821</a></p>
</p>
</details>
<p></p>
<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS 3 Score Details (<b>8.8</b>)</summary>
<p>

Base Score Metrics:
- Exploitability Metrics:
  - Attack Vector: Local
  - Attack Complexity: Low
  - Privileges Required: Low
  - User Interaction: None
  - Scope: Changed
- Impact Metrics:
  - Confidentiality Impact: High
  - Integrity Impact: High
  - Availability Impact: High
</p>
For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>.
</p>
</details>
<p></p>
<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/suggested_fix.png' width=19 height=20> Suggested Fix</summary>
<p>

<p>Type: Upgrade version</p>
<p>Origin: <a href="https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h">https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h</a></p>
<p>Release Date: 2024-02-08</p>
<p>Fix Resolution: 2.2.23,2.7.0</p>

</p>
</details>
<p></p>

***
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

Vulnerable Library - composer/composer-2.4.1

Composer helps you declare, manage and install dependencies of PHP projects. It ensures you have the right stack everywhere.

Library home page: https://api.github.com/repos/composer/composer/zipball/777d542e3af65f8e7a66a4d98ce7a697da339414

Dependency Hierarchy:

• magento/magento-composer-installer-0.3.0 (Root Library)
  • ❌ composer/composer-2.4.1 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.

Publish Date: 2024-06-10

URL: CVE-2024-35242

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-v9qv-c7wm-wgmf

Release Date: 2024-06-10

Fix Resolution: composer/composer-2.2.24,2.7.7