Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.
Advisories
Source ID Title
Debian DLA Debian DLA DLA-3838-1 composer security update
Debian DSA Debian DSA DSA-5715-1 composer security update
Github GHSA Github GHSA GHSA-v9qv-c7wm-wgmf Composer has multiple command injections via malicious git/hg branch names
Ubuntu USN Ubuntu USN USN-7603-1 Composer vulnerabilities
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 13 Feb 2025 18:00:00 +0000

Type Values Removed Values Added
Description Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories. Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-02-13T17:52:34.786Z

Reserved: 2024-05-14T15:39:41.786Z

Link: CVE-2024-35242

cve-icon Vulnrichment

Updated: 2024-08-02T03:07:46.921Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-06-10T22:15:09.893

Modified: 2025-02-13T18:18:05.910

Link: CVE-2024-35242

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.