Description

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.

INFO

Published Date :

2024-06-10T21:23:44.040Z

Last Modified :

2025-02-13T17:52:34.786Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-35242 vulnerability.

Vendors Products
Fedoraproject
  • Fedora
Getcomposer
  • Composer
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-35242.

URL Resource
https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396 cve-icon cve-icon
https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467 cve-icon cve-icon
https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/[email protected]/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/[email protected]/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact