CVE-2015-8371

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the package name, the dist type, and certain other data from the package repository (which may simply be a commit hash, and thus can be found by an attacker). Versions through 1.0.0-alpha11 are affected, and 1.0.0 is unaffected.

Composer anterior al 10 de febrero de 2016 permite el envenenamiento de la caché de otros proyectos creados en el mismo host. Esto da como resultado que el código controlado por el atacante ingrese a un proceso de compilación del lado del servidor. El problema se debe a la forma en que se almacenan en caché los paquetes dist. La clave de caché se deriva del nombre del paquete, el tipo de dist y algunos otros datos del repositorio de paquetes (que pueden ser simplemente un hash de confirmación y, por lo tanto, un atacante puede encontrarlos). Las versiones hasta 1.0.0-alpha11 se ven afectadas y la 1.0.0 no.

*Credits: N/A

CVSS Scores

NISTv3.1 8.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-11-27 CVE Reserved
2023-09-21 CVE Published
2024-08-06 CVE Updated
2024-08-06 First Exploit
2024-08-21 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-345: Insufficient Verification of Data Authenticity

CAPEC

References (4)

URL	Tag	Source
https://github.com/FriendsOfPHP/security-advisories/blob/e26be423c5bcfdb38478d2f92d1f928c15afb561/composer/composer/CVE-2015-8371.yaml	Third Party Advisory
https://github.com/composer/composer	Product
https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2015-8371.yml	Third Party Advisory

URL	Date	SRC
https://flyingmana.de/blog_en/2016/02/14/composer_cache_injection_vulnerability_cve_2015_8371.html	2024-08-06

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Getcomposer Search vendor "Getcomposer"		Composer Search vendor "Getcomposer" for product "Composer"				1.0.0 Search vendor "Getcomposer" for product "Composer" and version "1.0.0"		alpha1		Affected
Getcomposer Search vendor "Getcomposer"		Composer Search vendor "Getcomposer" for product "Composer"				1.0.0 Search vendor "Getcomposer" for product "Composer" and version "1.0.0"		alpha10		Affected
Getcomposer Search vendor "Getcomposer"		Composer Search vendor "Getcomposer" for product "Composer"				1.0.0 Search vendor "Getcomposer" for product "Composer" and version "1.0.0"		alpha11		Affected
Getcomposer Search vendor "Getcomposer"		Composer Search vendor "Getcomposer" for product "Composer"				1.0.0 Search vendor "Getcomposer" for product "Composer" and version "1.0.0"		alpha2		Affected
Getcomposer Search vendor "Getcomposer"		Composer Search vendor "Getcomposer" for product "Composer"				1.0.0 Search vendor "Getcomposer" for product "Composer" and version "1.0.0"		alpha3		Affected
Getcomposer Search vendor "Getcomposer"		Composer Search vendor "Getcomposer" for product "Composer"				1.0.0 Search vendor "Getcomposer" for product "Composer" and version "1.0.0"		alpha4		Affected
Getcomposer Search vendor "Getcomposer"		Composer Search vendor "Getcomposer" for product "Composer"				1.0.0 Search vendor "Getcomposer" for product "Composer" and version "1.0.0"		alpha5		Affected
Getcomposer Search vendor "Getcomposer"		Composer Search vendor "Getcomposer" for product "Composer"				1.0.0 Search vendor "Getcomposer" for product "Composer" and version "1.0.0"		alpha6		Affected
Getcomposer Search vendor "Getcomposer"		Composer Search vendor "Getcomposer" for product "Composer"				1.0.0 Search vendor "Getcomposer" for product "Composer" and version "1.0.0"		alpha7		Affected
Getcomposer Search vendor "Getcomposer"		Composer Search vendor "Getcomposer" for product "Composer"				1.0.0 Search vendor "Getcomposer" for product "Composer" and version "1.0.0"		alpha8		Affected
Getcomposer Search vendor "Getcomposer"		Composer Search vendor "Getcomposer" for product "Composer"				1.0.0 Search vendor "Getcomposer" for product "Composer" and version "1.0.0"		alpha9		Affected