CVE-2023-43655

Remote Code Execution via web-accessible composer.phar

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.

Composer es un administrador de dependencias para PHP. Los usuarios que publican un composer.phar en un servidor público accesible desde la web donde se puede ejecutar el composer.phar como un archivo php pueden estar sujetos a una vulnerabilidad de ejecución remota de código si PHP también tiene `register_argc_argv` habilitado en php.ini. Las versiones 2.6.4, 2.2.22 y 1.10.27 corrigen esta vulnerabilidad. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben asegurarse de que `register_argc_argv` esté deshabilitado en php.ini y evitar publicar composer.phar en la web, ya que esta no es la mejor práctica.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-09-20 CVE Reserved
2023-09-29 CVE Published
2024-09-23 CVE Updated
2024-10-31 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CAPEC

References (8)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2	Mailing List

URL	Date	SRC

URL	Date	SRC
https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d	2024-03-27
https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c	2024-03-27
https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c	2024-03-27

URL	Date	SRC
https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf	2024-03-27

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Getcomposer Search vendor "Getcomposer"		Composer Search vendor "Getcomposer" for product "Composer"				< 1.10.27 Search vendor "Getcomposer" for product "Composer" and version " < 1.10.27"		-		Affected
Getcomposer Search vendor "Getcomposer"		Composer Search vendor "Getcomposer" for product "Composer"				>= 2.0.0 < 2.2.21 Search vendor "Getcomposer" for product "Composer" and version " >= 2.0.0 < 2.2.21"		-		Affected
Getcomposer Search vendor "Getcomposer"		Composer Search vendor "Getcomposer" for product "Composer"				>= 2.3.0 < 2.6.4 Search vendor "Getcomposer" for product "Composer" and version " >= 2.3.0 < 2.6.4"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				38 Search vendor "Fedoraproject" for product "Fedora" and version "38"		-		Affected