7.0 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): High (H)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): High (H)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
Composer: Arbitrary file write outside vendor via malicious transitive package name
Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a maliciously crafted package from an untrusted repository other than Packagist.org or Private Packagist can cause Composer to write attacker-controlled files outside the vendor directory and outside the project during install or update by using an invalid package name that is not correctly validated before dependency-resolution results are written or installed. This issue is fixed in versions 2.2.29 and 2.10.2.
References
-
https://github.com/composer/composer/security/advisories/GHSA-499r-g7pc-vmp9 x_refsource_CONFIRM
-
https://github.com/composer/composer/releases/tag/2.10.2 x_refsource_MISC
-
https://github.com/composer/composer/releases/tag/2.2.29 x_refsource_MISC
Affected products
- ==>= 2.3.0, < 2.10.2
- ==>= 1.0, < 2.2.29
Matching in nixpkgs
pkgs.subtitlecomposer
Open source text-based subtitle editor
pkgs.phpPackages.composer
Dependency Manager for PHP
pkgs.php82Packages.composer
Dependency Manager for PHP
pkgs.php83Packages.composer
Dependency Manager for PHP
pkgs.php84Packages.composer
Dependency Manager for PHP
pkgs.php85Packages.composer
Dependency Manager for PHP
pkgs.composer-require-checker
CLI tool to check whether a specific composer package uses imported symbols that aren't part of its direct composer dependencies
pkgs.haskellPackages.gogol-composer
Google Cloud Composer SDK
pkgs.phpPackages.cyclonedx-php-composer
Composer plugin that facilitates the creation of a CycloneDX Software Bill of Materials (SBOM) from PHP Composer projects
pkgs.php82Packages.cyclonedx-php-composer
Composer plugin that facilitates the creation of a CycloneDX Software Bill of Materials (SBOM) from PHP Composer projects
pkgs.php83Packages.cyclonedx-php-composer
Composer plugin that facilitates the creation of a CycloneDX Software Bill of Materials (SBOM) from PHP Composer projects
pkgs.php84Packages.cyclonedx-php-composer
Composer plugin that facilitates the creation of a CycloneDX Software Bill of Materials (SBOM) from PHP Composer projects
pkgs.php85Packages.cyclonedx-php-composer
Composer plugin that facilitates the creation of a CycloneDX Software Bill of Materials (SBOM) from PHP Composer projects
pkgs.phpPackages.composer-local-repo-plugin
Composer plugin that facilitates the creation of a local composer type repository
pkgs.php82Packages.composer-local-repo-plugin
Composer plugin that facilitates the creation of a local composer type repository
pkgs.php83Packages.composer-local-repo-plugin
Composer plugin that facilitates the creation of a local composer type repository
pkgs.php84Packages.composer-local-repo-plugin
Composer plugin that facilitates the creation of a local composer type repository
Package maintainers
-
@patka-123 patka <patka@patka.dev>
-
@piotrkwiecinski Piotr Kwiecinski <piokwiecinski+nixpkgs@gmail.com>
-
@talyz Kim Lindberger <kim.lindberger@gmail.com>
-
@Ma27 Maximilian Bosch <maximilian@mbosch.me>
-
@aanderse Aaron Andersen <aaron@fosslib.net>
-
@kugland André Kugland <kugland@gmail.com>