CVE-2024-35242

Composer vulnerable to command injection via malicious git/hg branch names

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.

Composer es un administrador de dependencias para PHP. En la rama 2.x anterior a las versiones 2.2.24 y 2.7.7, el comando `composer install` que se ejecuta dentro de un repositorio git/hg que tiene nombres de rama especialmente manipulados puede provocar la inyección de comandos. Esto requiere clonar repositorios que no sean de confianza. Los parches están disponibles en la versión 2.2.24 para 2.2 LTS o 2.7.7 para la línea principal. Como workaround, evite clonar repositorios potencialmente comprometidos.

*Credits: N/A

CVSS Scores

GitHubv3.1 8.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-05-14 CVE Reserved
2024-06-10 CVE Published
2024-06-11 EPSS Updated
2024-07-15 First Exploit
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CAPEC

References (6)

URL	Tag	Source
https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396	X_refsource_misc
https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467	X_refsource_misc
https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf	X_refsource_confirm
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC

URL	Date	SRC
https://github.com/KKkai0315/CVE-2024-35242	2024-07-15

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Composer Search vendor "Composer"		Composer Search vendor "Composer" for product "Composer"				>= 2.0.0 < 2.2.24 Search vendor "Composer" for product "Composer" and version " >= 2.0.0 < 2.2.24"		en		Affected
Composer Search vendor "Composer"		Composer Search vendor "Composer" for product "Composer"				>= 2.3.0 < 2.7.7 Search vendor "Composer" for product "Composer" and version " >= 2.3.0 < 2.7.7"		en		Affected