CVE-2024-35241: Composer has a command injection via malicious git branch name
The status
, reinstall
and remove
commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.
References
- github.com/advisories/GHSA-47f6-5gq3-vx9c
- github.com/composer/composer
- github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4
- github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704
- github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c
- nvd.nist.gov/vuln/detail/CVE-2024-35241
Detect and mitigate CVE-2024-35241 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →