GHSA-47f6-5gq3-vx9c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-47f6-5gq3-vx9c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-47f6-5gq3-vx9c/GHSA-47f6-5gq3-vx9c.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-47f6-5gq3-vx9c
- Aliases
- Related
- Published
- 2024-06-10T21:36:32Z
- Modified
- 2025-04-23T14:49:49.244084Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Composer has a command injection via malicious git branch name
- Details
-
Impact
The
status,reinstallandremovecommands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.Patches
2.2.24 for 2.2 LTS or 2.7.7 for mainline
Workarounds
Avoid installing dependencies via git by using
--prefer-distor thepreferred-install: distconfig setting. - Database specific
{ "nvd_published_at": "2024-06-10T22:15:09Z", "cwe_ids": [ "CWE-77" ], "severity": "HIGH", "github_reviewed_at": "2024-06-10T21:36:32Z", "github_reviewed": true }- References
-
- https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c
- https://nvd.nist.gov/vuln/detail/CVE-2024-35241
- https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4
- https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704
- https://github.com/composer/composer
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC
- https://www.vicarius.io/vsociety/posts/cve-2024-35241-detect-composer-vulnerability
- https://www.vicarius.io/vsociety/posts/cve-2024-35241-mitigate-vulnerable-composer
Affected packages
Packagist / composer/composer
Package
- Name
- composer/composer
- Purl
- pkg:composer/composer/composer
Affected versions
2.*
2.0.0-alpha1
2.0.0-alpha2
2.0.0-alpha3
2.0.0-RC1
2.0.0-RC2
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.1.0-RC1
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.14
2.2.0-RC1
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19
2.2.20
2.2.21
2.2.22
2.2.23
Packagist / composer/composer
Package
- Name
- composer/composer
- Purl
- pkg:composer/composer/composer