CVE-2024-35241: Composer has a command injection via malicious git branch name
(updated )
The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.
References
- github.com/advisories/GHSA-47f6-5gq3-vx9c
- github.com/composer/composer
- github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4
- github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704
- github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC
- nvd.nist.gov/vuln/detail/CVE-2024-35241
- www.vicarius.io/vsociety/posts/cve-2024-35241-detect-composer-vulnerability
- www.vicarius.io/vsociety/posts/cve-2024-35241-mitigate-vulnerable-composer
Code Behaviors & Features
Detect and mitigate CVE-2024-35241 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →