CVE-2020-15145 - OpenCVE

In Composer-Setup for Windows before version 6.0.0, if the developer's computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\ProgramData\ComposerSetup\bin\composer.bat` in order to get elevated command execution when composer is run by an administrator. 2. A local regular user may create a specially crafted dll in the `C:\ProgramData\ComposerSetup\bin` folder in order to get Local System privileges. See: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. If the directory of the php.exe selected by the user is not in the system path, it is added without checking that it is admin secured, as per Microsoft guidelines. See: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Getcomposer	Composer-setup

Configuration 1 [-]

cpe:2.3:a:getcomposer:composer-setup:*:*:*:*:*:windows:*:*

No data.

References

Link	Providers
https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804
https://github.com/composer/windows-setup/security/advisories/GHSA-wgrx-r3qv-332c

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-08-14T16:35:13

Updated: 2024-08-04T13:08:21.821Z

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15145

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-08-14T17:15:14.377

Modified: 2020-08-21T14:54:05.307

Link: CVE-2020-15145

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "windows-setup", "vendor": "composer", "versions": [{"status": "affected", "version": "< 6.0.0"}]}], "descriptions": [{"lang": "en", "value": "In Composer-Setup for Windows before version 6.0.0, if the developer's computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\\ProgramData\\ComposerSetup\\bin\\composer.bat` in order to get elevated command execution when composer is run by an administrator. 2. A local regular user may create a specially crafted dll in the `C:\\ProgramData\\ComposerSetup\\bin` folder in order to get Local System privileges. See: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. If the directory of the php.exe selected by the user is not in the system path, it is added without checking that it is admin secured, as per Microsoft guidelines. See: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276: Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-08-14T16:35:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/composer/windows-setup/security/advisories/GHSA-wgrx-r3qv-332c"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804"}], "source": {"advisory": "GHSA-wgrx-r3qv-332c", "discovery": "UNKNOWN"}, "title": "Local privilege elevation in Composer-Setup for Windows", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15145", "STATE": "PUBLIC", "TITLE": "Local privilege elevation in Composer-Setup for Windows"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "windows-setup", "version": {"version_data": [{"version_value": "< 6.0.0"}]}}]}, "vendor_name": "composer"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Composer-Setup for Windows before version 6.0.0, if the developer's computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\\ProgramData\\ComposerSetup\\bin\\composer.bat` in order to get elevated command execution when composer is run by an administrator. 2. A local regular user may create a specially crafted dll in the `C:\\ProgramData\\ComposerSetup\\bin` folder in order to get Local System privileges. See: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. If the directory of the php.exe selected by the user is not in the system path, it is added without checking that it is admin secured, as per Microsoft guidelines. See: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-276: Incorrect Default Permissions"}]}]}, "references": {"reference_data": [{"name": "https://github.com/composer/windows-setup/security/advisories/GHSA-wgrx-r3qv-332c", "refsource": "CONFIRM", "url": "https://github.com/composer/windows-setup/security/advisories/GHSA-wgrx-r3qv-332c"}, {"name": "https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804", "refsource": "MISC", "url": "https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804"}]}, "source": {"advisory": "GHSA-wgrx-r3qv-332c", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:08:21.821Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/composer/windows-setup/security/advisories/GHSA-wgrx-r3qv-332c"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15145", "datePublished": "2020-08-14T16:35:13", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:08:21.821Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getcomposer:composer-setup:*:*:*:*:*:windows:*:*", "matchCriteriaId": "96AF5B75-DD24-474E-A464-D9CA5BA790C3", "versionEndExcluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Composer-Setup for Windows before version 6.0.0, if the developer's computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\\ProgramData\\ComposerSetup\\bin\\composer.bat` in order to get elevated command execution when composer is run by an administrator. 2. A local regular user may create a specially crafted dll in the `C:\\ProgramData\\ComposerSetup\\bin` folder in order to get Local System privileges. See: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. If the directory of the php.exe selected by the user is not in the system path, it is added without checking that it is admin secured, as per Microsoft guidelines. See: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability."}, {"lang": "es", "value": "En Composer-Setup para Windows versiones anteriores a 6.0.0, si la computadora del desarrollador es compartida con otros usuarios, un atacante local puede ser capaz de explotar los siguientes escenarios. 1. Un usuario habitual local puede modificar el archivo \"C:\\ProgramData\\ComposerSetup\\bin\\composer.bat\" existente para conseguir una ejecuci\u00f3n de comandos elevados cuando composer es ejecutado por un administrador. 2. Un usuario habitual local puede crear una dll especialmente dise\u00f1ada en la carpeta \"C:\\ProgramData\\ComposerSetup\\bin\" para alcanzar privilegios del Sistema Local. Consulte: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. Si el directorio de php.exe seleccionado por el usuario no est\u00e1 en la ruta del sistema, es agregado sin comprobar que est\u00e9 protegido por el administrador, seg\u00fan las mejores practicas de Microsoft. Consulte: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability."}], "id": "CVE-2020-15145", "lastModified": "2020-08-21T14:54:05.307", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-08-14T17:15:14.377", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/composer/windows-setup/security/advisories/GHSA-wgrx-r3qv-332c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "security-advisories@github.com", "type": "Primary"}]}