Missing input validation can lead to command execution in composer
Package
Affected versions
< 1.10.26
>= 2.0, < 2.2.12
>= 2.3, < 2.3.5
Patched versions
1.10.26
2.2.12
2.3.5
Description
Published by the National Vulnerability Database
Apr 13, 2022
Published to the GitHub Advisory Database
Apr 22, 2022
Reviewed
Apr 22, 2022
Last updated
Jan 24, 2024
The Composer method
VcsDriver::getFileContent()
with user-controlled$file
or$identifier
arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used.This led to a vulnerability on Packagist.org and Private Packagist, i.e., using the composer.json
readme
field as a vector for injecting parameters into the$file
argument for the Mercurial driver or via the$identifier
argument for the Git and Mercurial drivers.Composer itself can be attacked through branch names by anyone controlling a Git or Mercurial repository, which is explicitly listed by URL in a project's composer.json.
To the best of our knowledge, this was not actively exploited. The vulnerability has been patched on Packagist.org and Private Packagist within a day of the vulnerability report.
References