Vulnerability Description
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0
- https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fd
- https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0
- https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fd
- https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://lists.fedoraproject.org/archives/list/[email protected]
FAQ
What is CVE-2024-35242?
CVE-2024-35242 is a vulnerability with a CVSS score of 8.8 (HIGH). Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch nam...
How severe is CVE-2024-35242?
CVE-2024-35242 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-35242?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.