CVE-2022-24828

Missing input validation can lead to command execution in composer

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.

Composer es un administrador de dependencias para el lenguaje de programación PHP. Los integradores usando el código de Composer para llamar a la función "VcsDriver::getFileContent" pueden tener una vulnerabilidad de inyección de código si el usuario puede controlar el argumento "$file" o "$identifier". Esto conlleva a una vulnerabilidad en packagist.org, por ejemplo, donde el campo "readme" de composer.json puede ser usado como vector para inyectar parámetros en hg/Mercurial por medio del argumento "$file", o en git por medio del argumento "$identifier" si son permitidos datos arbitrarios allí (Packagist no lo hace, pero quizás otros integradores sí). El propio Composer no debería verse afectado por la vulnerabilidad, ya que no llama a "getFileContent" con datos arbitrarios en $file"/"$identifier". Por lo que sabemos, no ha sido abusado de ello, y la vulnerabilidad ha sido parcheada en packagist.org y en Private Packagist un día después del informe de la vulnerabilidad

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-10 CVE Reserved
2022-04-13 CVE Published
2023-12-03 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

CAPEC

References (6)

URL	Tag	Source
https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709	2023-11-07
https://www.tenable.com/security/tns-2022-09	2023-11-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/625MT3IKWKFVIWLSYZFSXHVUA2LES7YQ	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GWT6LDSRY7SFMTDZWJ4MS2ZBXHL7VQEF	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QD7JQWL6C4GVROO25DTXWYWM6BPOPPCG	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Getcomposer Search vendor "Getcomposer"		Composer Search vendor "Getcomposer" for product "Composer"				< 1.10.26 Search vendor "Getcomposer" for product "Composer" and version " < 1.10.26"		-		Affected
Getcomposer Search vendor "Getcomposer"		Composer Search vendor "Getcomposer" for product "Composer"				>= 2.0.0 < 2.2.12 Search vendor "Getcomposer" for product "Composer" and version " >= 2.0.0 < 2.2.12"		-		Affected
Getcomposer Search vendor "Getcomposer"		Composer Search vendor "Getcomposer" for product "Composer"				>= 2.3.0 < 2.3.5 Search vendor "Getcomposer" for product "Composer" and version " >= 2.3.0 < 2.3.5"		-		Affected
Tenable Search vendor "Tenable"		Tenable.sc Search vendor "Tenable" for product "Tenable.sc"				< 5.21.0 Search vendor "Tenable" for product "Tenable.sc" and version " < 5.21.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected