GHSA-47f6-5gq3-vx9c

Suggest an improvement
Source
https://github.com/advisories/GHSA-47f6-5gq3-vx9c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-47f6-5gq3-vx9c/GHSA-47f6-5gq3-vx9c.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-47f6-5gq3-vx9c
Aliases
Related
Published
2024-06-10T21:36:32Z
Modified
2024-07-15T22:27:09.390208Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Composer has a command injection via malicious git branch name
Details

Impact

The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

Workarounds

Avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.

Database specific
{
    "nvd_published_at": "2024-06-10T22:15:09Z",
    "cwe_ids": [
        "CWE-77"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-10T21:36:32Z"
}
References

Affected packages

Packagist / composer/composer

Package

Name
composer/composer
Purl
pkg:composer/composer/composer

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0
Fixed
2.2.24

Affected versions

2.*

2.0.0-alpha1
2.0.0-alpha2
2.0.0-alpha3
2.0.0-RC1
2.0.0-RC2
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.1.0-RC1
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.14
2.2.0-RC1
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19
2.2.20
2.2.21
2.2.22
2.2.23

Packagist / composer/composer

Package

Name
composer/composer
Purl
pkg:composer/composer/composer

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3
Fixed
2.7.7

Affected versions

2.*

2.3.0-RC1
2.3.0-RC2
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.3.10
2.4.0-RC1
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.5.7
2.5.8
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6