csaf_suse - suse-su-2024:2106-1

suse-su-2024:2106-1

Vulnerability from csaf_suse

Published

2024-06-20 14:19

Modified

2024-06-20 14:19

Summary

Security update for php-composer2

Notes

Title of the patch

Security update for php-composer2

Description of the patch

This update for php-composer2 fixes the following issues: - CVE-2024-35241: Fixed code execution when installing packages in repository with specially crafted branch names (bsc#1226181). - CVE-2024-35242: Fixed command injection via specially crafted branch names during repository cloning (bsc#1226182).

Patchnames

SUSE-2024-2106,SUSE-SLE-Module-Web-Scripting-15-SP5-2024-2106,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-2106,SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-2106,SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-2106,SUSE-SLE-Product-SLES_SAP-15-SP4-2024-2106,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-2106,openSUSE-SLE-15.5-2024-2106

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for php-composer2",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for php-composer2 fixes the following issues:\n\n- CVE-2024-35241: Fixed code execution when installing packages in repository with specially crafted branch names (bsc#1226181).\n- CVE-2024-35242: Fixed command injection via specially crafted branch names during repository cloning (bsc#1226182).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2024-2106,SUSE-SLE-Module-Web-Scripting-15-SP5-2024-2106,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-2106,SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-2106,SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-2106,SUSE-SLE-Product-SLES_SAP-15-SP4-2024-2106,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-2106,openSUSE-SLE-15.5-2024-2106",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_2106-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2024:2106-1",
        "url": "https://www.suse.com/support/update/announcement/2024/suse-su-20242106-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2024:2106-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018770.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1226181",
        "url": "https://bugzilla.suse.com/1226181"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1226182",
        "url": "https://bugzilla.suse.com/1226182"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-35241 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-35241/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-35242 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-35242/"
      }
    ],
    "title": "Security update for php-composer2",
    "tracking": {
      "current_release_date": "2024-06-20T14:19:04Z",
      "generator": {
        "date": "2024-06-20T14:19:04Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2024:2106-1",
      "initial_release_date": "2024-06-20T14:19:04Z",
      "revision_history": [
        {
          "date": "2024-06-20T14:19:04Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "php-composer2-2.2.3-150400.3.12.1.noarch",
                "product": {
                  "name": "php-composer2-2.2.3-150400.3.12.1.noarch",
                  "product_id": "php-composer2-2.2.3-150400.3.12.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP5",
                  "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-web-scripting:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Manager Server 4.3",
                "product": {
                  "name": "SUSE Manager Server 4.3",
                  "product_id": "SUSE Manager Server 4.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-manager-server:4.3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.5",
                "product": {
                  "name": "openSUSE Leap 15.5",
                  "product_id": "openSUSE Leap 15.5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.2.3-150400.3.12.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5",
          "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.12.1.noarch"
        },
        "product_reference": "php-composer2-2.2.3-150400.3.12.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.2.3-150400.3.12.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.3-150400.3.12.1.noarch"
        },
        "product_reference": "php-composer2-2.2.3-150400.3.12.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.2.3-150400.3.12.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch"
        },
        "product_reference": "php-composer2-2.2.3-150400.3.12.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.2.3-150400.3.12.1.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch"
        },
        "product_reference": "php-composer2-2.2.3-150400.3.12.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.2.3-150400.3.12.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.3-150400.3.12.1.noarch"
        },
        "product_reference": "php-composer2-2.2.3-150400.3.12.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.2.3-150400.3.12.1.noarch as component of SUSE Manager Server 4.3",
          "product_id": "SUSE Manager Server 4.3:php-composer2-2.2.3-150400.3.12.1.noarch"
        },
        "product_reference": "php-composer2-2.2.3-150400.3.12.1.noarch",
        "relates_to_product_reference": "SUSE Manager Server 4.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.2.3-150400.3.12.1.noarch as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.12.1.noarch"
        },
        "product_reference": "php-composer2-2.2.3-150400.3.12.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-35241",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-35241"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.3-150400.3.12.1.noarch",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.12.1.noarch",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.3-150400.3.12.1.noarch",
          "SUSE Manager Server 4.3:php-composer2-2.2.3-150400.3.12.1.noarch",
          "openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.12.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-35241",
          "url": "https://www.suse.com/security/cve/CVE-2024-35241"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1226181 for CVE-2024-35241",
          "url": "https://bugzilla.suse.com/1226181"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Manager Server 4.3:php-composer2-2.2.3-150400.3.12.1.noarch",
            "openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.12.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Manager Server 4.3:php-composer2-2.2.3-150400.3.12.1.noarch",
            "openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.12.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-20T14:19:04Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-35241"
    },
    {
      "cve": "CVE-2024-35242",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-35242"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.3-150400.3.12.1.noarch",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.12.1.noarch",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.3-150400.3.12.1.noarch",
          "SUSE Manager Server 4.3:php-composer2-2.2.3-150400.3.12.1.noarch",
          "openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.12.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-35242",
          "url": "https://www.suse.com/security/cve/CVE-2024-35242"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1226182 for CVE-2024-35242",
          "url": "https://bugzilla.suse.com/1226182"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Manager Server 4.3:php-composer2-2.2.3-150400.3.12.1.noarch",
            "openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.12.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.3-150400.3.12.1.noarch",
            "SUSE Manager Server 4.3:php-composer2-2.2.3-150400.3.12.1.noarch",
            "openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.12.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-20T14:19:04Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-35242"
    }
  ]
}

CVE-2024-35241 (GCVE-0-2024-35241)

Vulnerability from cvelistv5

Published

2024-06-10 21:19

Modified

2025-04-21 15:20

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Summary

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.

References

►

URL

Tags

	https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c	x_refsource_CONFIRM
	https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4	x_refsource_MISC
	https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/

Impacted products

	Vendor	Product	Version
	composer	composer	Version: >= 2.0, < 2.2.24 Version: >= 2.3, < 2.7.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*",
              "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "fedora",
            "vendor": "fedoraproject",
            "versions": [
              {
                "status": "affected",
                "version": "39"
              },
              {
                "status": "affected",
                "version": "40"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:getcomposer:composer:2.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "composer",
            "vendor": "getcomposer",
            "versions": [
              {
                "lessThan": "2.2.24",
                "status": "affected",
                "version": "2.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:getcomposer:composer:2.3:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "composer",
            "vendor": "getcomposer",
            "versions": [
              {
                "lessThan": "2.7.7",
                "status": "affected",
                "version": "2.3",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35241",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-15T20:42:58.759423Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-15T20:43:01.084Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-04-21T15:20:35.089Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2024-35241-detect-composer-vulnerability"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2024-35241-mitigate-vulnerable-composer"
          },
          {
            "name": "https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c"
          },
          {
            "name": "https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4"
          },
          {
            "name": "https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "composer",
          "vendor": "composer",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.0, \u003c 2.2.24"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.3, \u003c 2.7.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-20T03:05:52.267Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c"
        },
        {
          "name": "https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4"
        },
        {
          "name": "https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/"
        }
      ],
      "source": {
        "advisory": "GHSA-47f6-5gq3-vx9c",
        "discovery": "UNKNOWN"
      },
      "title": "Composer vulnerable to command injection via malicious git branch name"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-35241",
    "datePublished": "2024-06-10T21:19:47.123Z",
    "dateReserved": "2024-05-14T15:39:41.786Z",
    "dateUpdated": "2025-04-21T15:20:35.089Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-35242 (GCVE-0-2024-35242)

Vulnerability from cvelistv5

Published

2024-06-10 21:23

Modified

2025-02-13 17:52

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Summary

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.

References

►

URL

Tags

	https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf	x_refsource_CONFIRM
	https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396	x_refsource_MISC
	https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/

Impacted products

	Vendor	Product	Version
	composer	composer	Version: >= 2.0, < 2.2.24 Version: >= 2.3, < 2.7.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*",
              "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "fedora",
            "vendor": "fedoraproject",
            "versions": [
              {
                "status": "affected",
                "version": "39"
              },
              {
                "status": "affected",
                "version": "40"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:getcomposer:composer:2.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "composer",
            "vendor": "getcomposer",
            "versions": [
              {
                "lessThan": "2.2.24",
                "status": "affected",
                "version": "2.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:getcomposer:composer:2.3:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "composer",
            "vendor": "getcomposer",
            "versions": [
              {
                "lessThan": "2.7.7",
                "status": "affected",
                "version": "2.3",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35242",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-15T20:44:05.596723Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-15T20:44:10.241Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:07:46.921Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf"
          },
          {
            "name": "https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396"
          },
          {
            "name": "https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "composer",
          "vendor": "composer",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.0, \u003c 2.2.24"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.3, \u003c 2.7.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-20T03:05:53.866Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf"
        },
        {
          "name": "https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396"
        },
        {
          "name": "https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/"
        }
      ],
      "source": {
        "advisory": "GHSA-v9qv-c7wm-wgmf",
        "discovery": "UNKNOWN"
      },
      "title": "Composer vulnerable to command injection via malicious git/hg branch names"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-35242",
    "datePublished": "2024-06-10T21:23:44.040Z",
    "dateReserved": "2024-05-14T15:39:41.786Z",
    "dateUpdated": "2025-02-13T17:52:34.786Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

suse-su-2024:2106-1

Vulnerability from csaf_suse

CVE-2024-35241 (GCVE-0-2024-35241)

Vulnerability from cvelistv5

CVE-2024-35242 (GCVE-0-2024-35242)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature