Headline
GHSA-47f6-5gq3-vx9c: Composer has a command injection via malicious git branch name
Impact
The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.
Patches
2.2.24 for 2.2 LTS or 2.7.7 for mainline
Workarounds
Avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-35241
Composer has a command injection via malicious git branch name
High severity GitHub Reviewed Published Jun 10, 2024 in composer/composer • Updated Jun 10, 2024
Package
composer composer/composer (Composer)
Affected versions
>= 2.0, < 2.2.24
>= 2.3, < 2.7.7
Patched versions
2.2.24
2.7.7
Impact
The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.
Patches
2.2.24 for 2.2 LTS or 2.7.7 for mainline
Workarounds
Avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.
References
- GHSA-47f6-5gq3-vx9c
- composer/composer@b93fc6c
- composer/composer@ee28354
Published to the GitHub Advisory Database
Jun 10, 2024
Last updated
Jun 10, 2024
Related news
Debian Linux Security Advisory 5715-1 - Two vulnerabilities have been discovered in Composer, a dependency manager for PHP, which could result in arbitrary command execution by operating on malicious git/hg repositories.