CVE-2024-35242: Composer has multiple command injections via malicious git/hg branch names
(updated )
The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.
References
- github.com/advisories/GHSA-v9qv-c7wm-wgmf
- github.com/composer/composer
- github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396
- github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467
- github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC
- nvd.nist.gov/vuln/detail/CVE-2024-35242
Code Behaviors & Features
Detect and mitigate CVE-2024-35242 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →