// For flags

CVE-2024-24821

Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php in Composer

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar's self-update. The following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer on untrusted projects, Shared environments with developers who run Composer individually on the same project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and avoid running Composer within an untrusted directory, or if needed, verify that the contents of `vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code. A reset can also be done on these files by the following:```sh
rm vendor/composer/installed.php vendor/composer/InstalledVersions.php
composer install --no-scripts --no-plugins
```

Composer es un administrador de dependencias para el lenguaje PHP. En las versiones afectadas, se incluyen varios archivos dentro del directorio de trabajo local durante la invocación de Composer y en el contexto del usuario que lo ejecuta. Como tal, bajo ciertas condiciones la ejecución de código arbitrario puede conducir a una escalada de privilegios locales, proporcionar movimiento lateral del usuario o ejecución de código malicioso cuando se invoca Composer dentro de un directorio con archivos manipulados. Todos los comandos de Composer CLI se ven afectados, incluida la actualización automática de Composer.phar. Los siguientes escenarios son de alto riesgo: Composer ejecutado con sudo, Canalizaciones que pueden ejecutar Composer en proyectos que no son de confianza, Entornos compartidos con desarrolladores que ejecutan Composer individualmente en el mismo proyecto. Esta vulnerabilidad se ha solucionado en las versiones 2.7.0 y 2.2.23. Se recomienda que las versiones parcheadas se apliquen lo antes posible. Cuando no sea posible, se debe abordar lo siguiente: eliminar todos los privilegios de Sudo Composer para todos los usuarios para mitigar la escalada de privilegios de root y evitar ejecutar Composer dentro de un directorio que no sea de confianza o, si es necesario, verificar que el contenido de `vendor/composer/InstalledVersions.php ` y `vendor/composer/installed.php` no incluyen código que no sea de confianza. También se puede restablecer estos archivos mediante lo siguiente:```sh rm seller/composer/installed.php seller/composer/InstalledVersions.php Composer install --no-scripts --no-plugins ```

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2024-01-31 CVE Reserved
  • 2024-02-08 CVE Published
  • 2024-02-09 EPSS Updated
  • 2024-08-01 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Getcomposer
Search vendor "Getcomposer"
Composer
Search vendor "Getcomposer" for product "Composer"
>= 2.0.0 < 2.2.23
Search vendor "Getcomposer" for product "Composer" and version " >= 2.0.0 < 2.2.23"
-
Affected
Getcomposer
Search vendor "Getcomposer"
Composer
Search vendor "Getcomposer" for product "Composer"
>= 2.3.0 < 2.7.0
Search vendor "Getcomposer" for product "Composer" and version " >= 2.3.0 < 2.7.0"
-
Affected