1. CVE-Search
  2. CVE-2021-29472
ID CVE-2021-29472
Summary Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system. The impact to Composer users directly is limited as the composer.json file is typically under their own control and source download URLs can only be supplied by third party Composer repositories they explicitly trust to download and execute source code from, e.g. Composer plugins. The main impact is to services passing user input to Composer, including Packagist.org and Private Packagist. This allowed users to trigger remote code execution. The vulnerability has been patched on Packagist.org and Private Packagist within 12h of receiving the initial vulnerability report and based on a review of logs, to the best of our knowledge, was not abused by anyone. Other services/tools using VcsRepository/VcsDriver or derivatives may also be vulnerable and should upgrade their composer/composer dependency immediately. Versions 1.10.22 and 2.0.13 include patches for this issue.
References
Vulnerable Configurations
  • cpe:2.3:a:getcomposer:composer:2.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:2.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:2.0.0:alpha1:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:2.0.0:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:2.0.0:alpha2:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:2.0.0:alpha2:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:2.0.0:alpha3:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:2.0.0:alpha3:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:2.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:2.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:2.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:2.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:2.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:2.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:2.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:2.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:2.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:2.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:2.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:2.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:2.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:2.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:2.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:2.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:2.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:2.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:2.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:2.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:2.0.10:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:2.0.10:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:2.0.11:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:2.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:2.0.12:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:2.0.12:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:-:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:-:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.0.0:alpha1:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.0.0:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.0.0:alpha10:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.0.0:alpha10:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.0.0:alpha11:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.0.0:alpha11:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.0.0:alpha2:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.0.0:alpha2:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.0.0:alpha3:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.0.0:alpha3:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.0.0:alpha4:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.0.0:alpha4:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.0.0:alpha5:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.0.0:alpha5:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.0.0:alpha6:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.0.0:alpha6:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.0.0:alpha7:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.0.0:alpha7:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.0.0:alpha8:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.0.0:alpha8:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.0.0:alpha9:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.0.0:alpha9:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.0.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.0.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.0.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.1.0:-:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.1.0:-:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.1.0:rc:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.1.0:rc:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.2.0:-:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.2.0:-:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.2.0:rc:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.2.0:rc:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.3.0:-:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.3.0:-:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.3.0:rc:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.3.0:rc:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.5.6:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.6.0:-:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.6.0:-:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.6.0:rc:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.6.0:rc:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.6.3:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.6.3:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.6.4:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.6.5:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.6.5:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.7.0:-:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.7.0:-:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.7.0:rc:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.7.0:rc:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.7.2:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.7.3:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.8.4:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.8.5:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.8.6:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.8.6:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.0:rc:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.0:rc:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.1:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.1:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.2:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.3:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.3:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.4:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.4:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.5:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.5:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.6:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.6:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.7:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.7:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.8:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.8:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.9:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.9:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.10:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.10:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.11:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.11:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.12:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.12:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.13:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.13:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.14:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.14:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.15:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.15:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.16:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.16:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.17:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.17:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.18:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.18:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.19:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.19:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.20:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.20:*:*:*:*:*:*:*
  • cpe:2.3:a:getcomposer:composer:1.10.21:*:*:*:*:*:*:*
    cpe:2.3:a:getcomposer:composer:1.10.21:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
CVSS
Base: 6.5 (as of 21-11-2024 - 06:01)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:P/A:P
Last major update 21-11-2024 - 06:01
Published 27-04-2021 - 21:15
Last modified 21-11-2024 - 06:01
Back to Top