Overview
- Description
- Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.
- Source
- security-advisories@github.com
- NVD status
- Modified
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
Weaknesses
- security-advisories@github.com
- CWE-74
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "66CB8B8A-9709-486A-BFA5-B92C4A11FA03",
"versionEndExcluding": "1.10.27"
},
{
"criteria": "cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "BFF216E8-6DB2-42E3-8AC8-A3F09E295E5C",
"versionEndExcluding": "2.2.21",
"versionStartIncluding": "2.0.0"
},
{
"criteria": "cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "23A42BAC-CC39-4A97-9A3B-60654E18A061",
"versionEndExcluding": "2.6.4",
"versionStartIncluding": "2.3.0"
}
],
"operator": "OR"
}
]
},
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D"
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9"
}
],
"operator": "OR"
}
]
}
]