CVE-2024-24821
Vulnerability from cvelistv5
Published
2024-02-08 23:54
Modified
2024-08-01 23:28
Severity ?
EPSS score ?
Summary
Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar's self-update. The following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer on untrusted projects, Shared environments with developers who run Composer individually on the same project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and avoid running Composer within an untrusted directory, or if needed, verify that the contents of `vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code. A reset can also be done on these files by the following:```sh
rm vendor/composer/installed.php vendor/composer/InstalledVersions.php
composer install --no-scripts --no-plugins
```
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.804Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h"
},
{
"name": "https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "composer",
"vendor": "composer",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0, \u003c 2.2.23"
},
{
"status": "affected",
"version": "\u003e= 2.3, \u003c 2.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar\u0027s self-update. The following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer on untrusted projects, Shared environments with developers who run Composer individually on the same project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and avoid running Composer within an untrusted directory, or if needed, verify that the contents of `vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code. A reset can also be done on these files by the following:```sh\nrm vendor/composer/installed.php vendor/composer/InstalledVersions.php\ncomposer install --no-scripts --no-plugins\n```"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-08T23:54:04.058Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h"
},
{
"name": "https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5"
}
],
"source": {
"advisory": "GHSA-7c6p-848j-wh5h",
"discovery": "UNKNOWN"
},
"title": "Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php in Composer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-24821",
"datePublished": "2024-02-08T23:54:04.058Z",
"dateReserved": "2024-01-31T16:28:17.944Z",
"dateUpdated": "2024-08-01T23:28:12.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-24821\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-02-09T00:15:08.680\",\"lastModified\":\"2024-11-21T08:59:47.200\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar\u0027s self-update. The following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer on untrusted projects, Shared environments with developers who run Composer individually on the same project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and avoid running Composer within an untrusted directory, or if needed, verify that the contents of `vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code. A reset can also be done on these files by the following:```sh\\nrm vendor/composer/installed.php vendor/composer/InstalledVersions.php\\ncomposer install --no-scripts --no-plugins\\n```\"},{\"lang\":\"es\",\"value\":\"Composer es un administrador de dependencias para el lenguaje PHP. En las versiones afectadas, se incluyen varios archivos dentro del directorio de trabajo local durante la invocaci\u00f3n de Composer y en el contexto del usuario que lo ejecuta. Como tal, bajo ciertas condiciones la ejecuci\u00f3n de c\u00f3digo arbitrario puede conducir a una escalada de privilegios locales, proporcionar movimiento lateral del usuario o ejecuci\u00f3n de c\u00f3digo malicioso cuando se invoca Composer dentro de un directorio con archivos manipulados. Todos los comandos de Composer CLI se ven afectados, incluida la actualizaci\u00f3n autom\u00e1tica de Composer.phar. Los siguientes escenarios son de alto riesgo: Composer ejecutado con sudo, Canalizaciones que pueden ejecutar Composer en proyectos que no son de confianza, Entornos compartidos con desarrolladores que ejecutan Composer individualmente en el mismo proyecto. Esta vulnerabilidad se ha solucionado en las versiones 2.7.0 y 2.2.23. Se recomienda que las versiones parcheadas se apliquen lo antes posible. Cuando no sea posible, se debe abordar lo siguiente: eliminar todos los privilegios de Sudo Composer para todos los usuarios para mitigar la escalada de privilegios de root y evitar ejecutar Composer dentro de un directorio que no sea de confianza o, si es necesario, verificar que el contenido de `vendor/composer/InstalledVersions.php ` y `vendor/composer/installed.php` no incluyen c\u00f3digo que no sea de confianza. Tambi\u00e9n se puede restablecer estos archivos mediante lo siguiente:```sh rm seller/composer/installed.php seller/composer/InstalledVersions.php Composer install --no-scripts --no-plugins ```\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.0,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-829\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.2.23\",\"matchCriteriaId\":\"ABFF8B5F-7C4A-4D4A-8BA4-31288D642194\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.3.0\",\"versionEndExcluding\":\"2.7.0\",\"matchCriteriaId\":\"04E48189-BFEC-410C-863C-B3A7AD233152\"}]}]}],\"references\":[{\"url\":\"https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.