CVE-2024-35242

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

omposer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.

References

Link	Resource
https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396
https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467
https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf
https://lists.fedoraproject.org/archives/list/[email protected]/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/
https://lists.fedoraproject.org/archives/list/[email protected]/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/
https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396
https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467
https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf
https://lists.fedoraproject.org/archives/list/[email protected]/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/
https://lists.fedoraproject.org/archives/list/[email protected]/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/

Configurations

No configuration.

History

13 Feb 2025, 18:18

Type	Values Removed	Values Added
Summary	(en) Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.	(en) Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.

21 Nov 2024, 09:20

Type	Values Removed	Values Added
References	~~() https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396 -~~	() https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396 -
References	~~() https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467 -~~	() https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467 -
References	~~() https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf -~~	() https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf -
References	~~() https://lists.fedoraproject.org/archives/list/[email protected]/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/ -~~	() https://lists.fedoraproject.org/archives/list/[email protected]/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/ -
References	~~() https://lists.fedoraproject.org/archives/list/[email protected]/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/ -~~	() https://lists.fedoraproject.org/archives/list/[email protected]/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/ -

20 Jun 2024, 09:15

Type	Values Removed	Values Added
References		() https://lists.fedoraproject.org/archives/list/[email protected]/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/ -

20 Jun 2024, 04:15

Type	Values Removed	Values Added
References		() https://lists.fedoraproject.org/archives/list/[email protected]/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/ -

11 Jun 2024, 13:54

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-10 22:15

Updated : 2025-02-13 18:18

NVD link : CVE-2024-35242

Mitre link : CVE-2024-35242

CVE.ORG link : CVE-2024-35242

JSON object : View

Products Affected

No product.

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

8.8 /10