CVE-2024-35242

CVE-2024-35242

Name

CVE-2024-35242

Description

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
CONFIRM	https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf
MISC	https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396
MISC	https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/

Type

URI

CONFIRM

https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf

MISC

https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396

MISC

https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/

Match rules

CPE URI	Source package	Min version	Max version
	composer	>= 2.0	< 2.2.24
	composer	>= 2.3	< 2.7.7
`cpe:2.3:o:fedoraproject:fedora:39:::::::*`	fedora	== 39	== 39
`cpe:2.3:o:fedoraproject:fedora:39:::::::*`	fedora	== 40	== 40
`cpe:2.3:a:getcomposer:composer:2.0:::::::*`	composer	>= 2.0	< 2.2.24
`cpe:2.3:a:getcomposer:composer:2.3:::::::*`	composer	>= 2.3	< 2.7.7

CPE URI

Source package

Min version

Max version

composer

>= 2.0

< 2.2.24

composer

>= 2.3

< 2.7.7

cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

fedora

== 39

cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

fedora

== 40

cpe:2.3:a:getcomposer:composer:2.0:*:*:*:*:*:*:*

composer

>= 2.0

< 2.2.24

cpe:2.3:a:getcomposer:composer:2.3:*:*:*:*:*:*:*

composer

>= 2.3

< 2.7.7

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
composer	edge-community	2.7.7-r0	Dave Hall <skwashd@gmail.com>	fixed
composer	edge-community	2.7.0-r0	Dave Hall <skwashd@gmail.com>	possibly vulnerable
composer	edge-community	2.6.4-r0	Dave Hall <skwashd@gmail.com>	possibly vulnerable
composer	edge-community	2.3.5-r0	Dave Hall <skwashd@gmail.com>	possibly vulnerable
composer	edge-community	2.1.9-r0	Dave Hall <skwashd@gmail.com>	possibly vulnerable
composer	edge-community	2.0.13-r0	Dave Hall <skwashd@gmail.com>	possibly vulnerable
composer	3.22-community	2.7.7-r0	None	fixed
composer	3.22-community	2.7.0-r0	None	possibly vulnerable
composer	3.22-community	2.6.4-r0	None	possibly vulnerable
composer	3.22-community	2.3.5-r0	None	possibly vulnerable
composer	3.22-community	2.1.9-r0	None	possibly vulnerable
composer	3.22-community	2.0.13-r0	None	possibly vulnerable
composer	3.21-community	2.7.7-r0	None	fixed
composer	3.20-community	2.7.7-r0	Dave Hall <skwashd@gmail.com>	fixed

Source package

Branch

Version

Maintainer

Status

composer

edge-community

2.7.7-r0

Dave Hall <skwashd@gmail.com>

fixed

composer

edge-community