Vulnerability Description
Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has been resolved in composer versions 1.10.23 and 2.1.9. There are no workarounds for this issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Getcomposer | Composer | < 1.10.23 |
| Tenable | Tenable.Sc | < 5.21.0 |
Related Weaknesses (CWE)
References
- https://github.com/composer/composer/commit/ca5e2f8d505fd3bfac6f7c85b82f2740becbPatchThird Party Advisory
- https://github.com/composer/composer/security/advisories/GHSA-frqg-7g38-6gcfThird Party Advisory
- https://www.sonarsource.com/blog/securing-developer-tools-package-managers/
- https://github.com/composer/composer/commit/ca5e2f8d505fd3bfac6f7c85b82f2740becbPatchThird Party Advisory
- https://github.com/composer/composer/security/advisories/GHSA-frqg-7g38-6gcfThird Party Advisory
- https://www.sonarsource.com/blog/securing-developer-tools-package-managers/
FAQ
What is CVE-2021-41116?
CVE-2021-41116 is a vulnerability with a CVSS score of 8.2 (HIGH). Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should up...
How severe is CVE-2021-41116?
CVE-2021-41116 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-41116?
Check the references section above for vendor advisories and patch information. Affected products include: Getcomposer Composer, Tenable Tenable.Sc.