#VU91685 Command Injection in composer - CVE-2024-35242


| Updated: 2024-07-02

Vulnerability identifier: #VU91685

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-35242

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
composer
Other software / Other software solutions

Vendor: getcomposer.org

Mitigation
Install updates from vendor's website.

Vulnerable software versions

composer: 2.0.0 - 2.0.14, 2.1.0 - 2.1.14, 2.2.0 - 2.2.23, 2.3.0 - 2.3.10, 2.4.0 - 2.4.4, 2.5.0 - 2.5.8, 2.6.0 - 2.6.6, 2.7.0 - 2.7.6

External links
https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf
https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396
https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467
https://github.com/composer/composer/releases/tag/2.2.24
https://github.com/composer/composer/releases/tag/2.7.7

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Debian update for composer
SUSE update for php-composer2
SUSE update for php-composer2
Fedora 40 update for composer
Fedora EPEL 9 update for composer
Fedora 39 update for composer
Multiple vulnerabilities in Composer