cvelistv5 - cve-2023-43655

CVE-2023-43655 (GCVE-0-2023-43655)

Vulnerability from cvelistv5 – Published: 2023-09-29 19:33 – Updated: 2025-06-18 13:59

Summary

Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.

Severity ?

6.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/composer/composer/security/adv…	x_refsource_CONFIRM
	https://github.com/composer/composer/commit/4fce1…	x_refsource_MISC
	https://github.com/composer/composer/commit/955a4…	x_refsource_MISC
	https://github.com/composer/composer/commit/95e09…	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.debian.org/debian-lts-announce/2024…

Impacted products

	Vendor	Product	Version
	composer	composer	Affected: 2.6.4, 2.2.21, 1.10.27 Affected: >= 2.0, < 2.2.22 Affected: < 1.10.27

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:44:43.787Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf"
          },
          {
            "name": "https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d"
          },
          {
            "name": "https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c"
          },
          {
            "name": "https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:docker:composer:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "composer",
            "vendor": "docker",
            "versions": [
              {
                "lessThanOrEqual": "2.6.4",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-43655",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-23T16:22:54.194704Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-18T13:59:58.568Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "composer",
          "vendor": "composer",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.4, 2.2.21, 1.10.27"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0, \u003c 2.2.22"
            },
            {
              "status": "affected",
              "version": "\u003c 1.10.27"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-27T10:05:55.605Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf"
        },
        {
          "name": "https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d"
        },
        {
          "name": "https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c"
        },
        {
          "name": "https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html"
        }
      ],
      "source": {
        "advisory": "GHSA-jm6m-4632-36hf",
        "discovery": "UNKNOWN"
      },
      "title": "Remote Code Execution via web-accessible composer.phar"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-43655",
    "datePublished": "2023-09-29T19:33:32.183Z",
    "dateReserved": "2023-09-20T15:35:38.147Z",
    "dateUpdated": "2025-06-18T13:59:58.568Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.10.27\", \"matchCriteriaId\": \"66CB8B8A-9709-486A-BFA5-B92C4A11FA03\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.0.0\", \"versionEndExcluding\": \"2.2.21\", \"matchCriteriaId\": \"BFF216E8-6DB2-42E3-8AC8-A3F09E295E5C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.3.0\", \"versionEndExcluding\": \"2.6.4\", \"matchCriteriaId\": \"23A42BAC-CC39-4A97-9A3B-60654E18A061\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E30D0E6F-4AE8-4284-8716-991DFA48CC5D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CC559B26-5DFC-4B7A-A27C-B77DE755DFF9\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.\\n\"}, {\"lang\": \"es\", \"value\": \"Composer es un administrador de dependencias para PHP. Los usuarios que publican un composer.phar en un servidor p\\u00fablico accesible desde la web donde se puede ejecutar el composer.phar como un archivo php pueden estar sujetos a una vulnerabilidad de ejecuci\\u00f3n remota de c\\u00f3digo si PHP tambi\\u00e9n tiene `register_argc_argv` habilitado en php.ini. Las versiones 2.6.4, 2.2.22 y 1.10.27 corrigen esta vulnerabilidad. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben asegurarse de que `register_argc_argv` est\\u00e9 deshabilitado en php.ini y evitar publicar composer.phar en la web, ya que esta no es la mejor pr\\u00e1ctica.\"}]",
      "id": "CVE-2023-43655",
      "lastModified": "2024-11-21T08:24:33.280",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 6.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 0.5, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
      "published": "2023-09-29T20:15:09.987",
      "references": "[{\"url\": \"https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-74\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-43655\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-09-29T20:15:09.987\",\"lastModified\":\"2025-04-23T17:31:40.740\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.\"},{\"lang\":\"es\",\"value\":\"Composer es un administrador de dependencias para PHP. Los usuarios que publican un composer.phar en un servidor p\u00fablico accesible desde la web donde se puede ejecutar el composer.phar como un archivo php pueden estar sujetos a una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo si PHP tambi\u00e9n tiene `register_argc_argv` habilitado en php.ini. Las versiones 2.6.4, 2.2.22 y 1.10.27 corrigen esta vulnerabilidad. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben asegurarse de que `register_argc_argv` est\u00e9 deshabilitado en php.ini y evitar publicar composer.phar en la web, ya que esta no es la mejor pr\u00e1ctica.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.5,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.10.27\",\"matchCriteriaId\":\"66CB8B8A-9709-486A-BFA5-B92C4A11FA03\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.2.21\",\"matchCriteriaId\":\"BFF216E8-6DB2-42E3-8AC8-A3F09E295E5C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.3.0\",\"versionEndExcluding\":\"2.6.4\",\"matchCriteriaId\":\"23A42BAC-CC39-4A97-9A3B-60654E18A061\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E30D0E6F-4AE8-4284-8716-991DFA48CC5D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CC559B26-5DFC-4B7A-A27C-B77DE755DFF9\"}]}]}],\"references\":[{\"url\":\"https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf\", \"name\": \"https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d\", \"name\": \"https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c\", \"name\": \"https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c\", \"name\": \"https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T19:44:43.787Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-43655\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-23T16:22:54.194704Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:docker:composer:-:*:*:*:*:*:*:*\"], \"vendor\": \"docker\", \"product\": \"composer\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2.6.4\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-23T16:24:58.786Z\"}}], \"cna\": {\"title\": \"Remote Code Execution via web-accessible composer.phar\", \"source\": {\"advisory\": \"GHSA-jm6m-4632-36hf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"composer\", \"product\": \"composer\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.6.4, 2.2.21, 1.10.27\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.0, \u003c 2.2.22\"}, {\"status\": \"affected\", \"version\": \"\u003c 1.10.27\"}]}], \"references\": [{\"url\": \"https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf\", \"name\": \"https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d\", \"name\": \"https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c\", \"name\": \"https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c\", \"name\": \"https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-74\", \"description\": \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-03-27T10:05:55.605Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-43655\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-18T13:59:58.568Z\", \"dateReserved\": \"2023-09-20T15:35:38.147Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-09-29T19:33:32.183Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2023-AVI-0966

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Tenable Security Center. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et un déni de service à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Tenable	Security Center	Security Center versions antérieures à 6.2.1

References

Title

Publication Time

Tags

Bulletin de sécurité Tenable TNS-2023-42

2023-11-20

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Security Center versions ant\u00e9rieures \u00e0 6.2.1",
      "product": {
        "name": "Security Center",
        "vendor": {
          "name": "Tenable",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-45802",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45802"
    },
    {
      "name": "CVE-2023-43655",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-43655"
    },
    {
      "name": "CVE-2023-43622",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-43622"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0966",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-11-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Tenable Security Center. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance et un d\u00e9ni de service \u00e0 distance.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Tenable Security Center",
  "vendor_advisories": [
    {
      "published_at": "2023-11-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Tenable TNS-2023-42",
      "url": "https://www.tenable.com/security/tns-2023-42"
    }
  ]
}

CERTFR-2023-AVI-0966

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Tenable	Security Center	Security Center versions antérieures à 6.2.1

References

Title

Publication Time

Tags

Bulletin de sécurité Tenable TNS-2023-42

2023-11-20

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Security Center versions ant\u00e9rieures \u00e0 6.2.1",
      "product": {
        "name": "Security Center",
        "vendor": {
          "name": "Tenable",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-45802",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45802"
    },
    {
      "name": "CVE-2023-43655",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-43655"
    },
    {
      "name": "CVE-2023-43622",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-43622"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0966",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-11-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Tenable Security Center. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance et un d\u00e9ni de service \u00e0 distance.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Tenable Security Center",
  "vendor_advisories": [
    {
      "published_at": "2023-11-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Tenable TNS-2023-42",
      "url": "https://www.tenable.com/security/tns-2023-42"
    }
  ]
}

GSD-2023-43655

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-43655

Aliases

CVE-2023-43655

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-43655",
    "id": "GSD-2023-43655"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-43655"
      ],
      "details": "Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.\n",
      "id": "GSD-2023-43655",
      "modified": "2023-12-13T01:20:44.519113Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-43655",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "composer",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "2.6.4, 2.2.21, 1.10.27"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 2.0, \u003c 2.2.22"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 1.10.27"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "composer"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.\n"
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-74",
                "lang": "eng",
                "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf",
            "refsource": "MISC",
            "url": "https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf"
          },
          {
            "name": "https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d",
            "refsource": "MISC",
            "url": "https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d"
          },
          {
            "name": "https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c",
            "refsource": "MISC",
            "url": "https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c"
          },
          {
            "name": "https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c",
            "refsource": "MISC",
            "url": "https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/"
          },
          {
            "name": "https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html",
            "refsource": "MISC",
            "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-jm6m-4632-36hf",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "66CB8B8A-9709-486A-BFA5-B92C4A11FA03",
                    "versionEndExcluding": "1.10.27",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "BFF216E8-6DB2-42E3-8AC8-A3F09E295E5C",
                    "versionEndExcluding": "2.2.21",
                    "versionStartIncluding": "2.0.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "23A42BAC-CC39-4A97-9A3B-60654E18A061",
                    "versionEndExcluding": "2.6.4",
                    "versionStartIncluding": "2.3.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
                    "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
                    "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.\n"
          },
          {
            "lang": "es",
            "value": "Composer es un administrador de dependencias para PHP. Los usuarios que publican un composer.phar en un servidor p\u00fablico accesible desde la web donde se puede ejecutar el composer.phar como un archivo php pueden estar sujetos a una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo si PHP tambi\u00e9n tiene `register_argc_argv` habilitado en php.ini. Las versiones 2.6.4, 2.2.22 y 1.10.27 corrigen esta vulnerabilidad. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben asegurarse de que `register_argc_argv` est\u00e9 deshabilitado en php.ini y evitar publicar composer.phar en la web, ya que esta no es la mejor pr\u00e1ctica."
          }
        ],
        "id": "CVE-2023-43655",
        "lastModified": "2024-03-27T10:15:08.007",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 5.9,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 0.5,
              "impactScore": 5.9,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2023-09-29T20:15:09.987",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-74"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

OPENSUSE-SU-2024:13290-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

php-composer2-2.6.4-1.1 on GA media

Notes

Title of the patch

php-composer2-2.6.4-1.1 on GA media

Description of the patch

These are all security issues fixed in the php-composer2-2.6.4-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-13290

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "php-composer2-2.6.4-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the php-composer2-2.6.4-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13290",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13290-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-43655 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-43655/"
      }
    ],
    "title": "php-composer2-2.6.4-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13290-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "php-composer2-2.6.4-1.1.aarch64",
                "product": {
                  "name": "php-composer2-2.6.4-1.1.aarch64",
                  "product_id": "php-composer2-2.6.4-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "php-composer2-2.6.4-1.1.ppc64le",
                "product": {
                  "name": "php-composer2-2.6.4-1.1.ppc64le",
                  "product_id": "php-composer2-2.6.4-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "php-composer2-2.6.4-1.1.s390x",
                "product": {
                  "name": "php-composer2-2.6.4-1.1.s390x",
                  "product_id": "php-composer2-2.6.4-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "php-composer2-2.6.4-1.1.x86_64",
                "product": {
                  "name": "php-composer2-2.6.4-1.1.x86_64",
                  "product_id": "php-composer2-2.6.4-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.6.4-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:php-composer2-2.6.4-1.1.aarch64"
        },
        "product_reference": "php-composer2-2.6.4-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.6.4-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:php-composer2-2.6.4-1.1.ppc64le"
        },
        "product_reference": "php-composer2-2.6.4-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.6.4-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:php-composer2-2.6.4-1.1.s390x"
        },
        "product_reference": "php-composer2-2.6.4-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.6.4-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:php-composer2-2.6.4-1.1.x86_64"
        },
        "product_reference": "php-composer2-2.6.4-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-43655",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-43655"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.\n",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:php-composer2-2.6.4-1.1.aarch64",
          "openSUSE Tumbleweed:php-composer2-2.6.4-1.1.ppc64le",
          "openSUSE Tumbleweed:php-composer2-2.6.4-1.1.s390x",
          "openSUSE Tumbleweed:php-composer2-2.6.4-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-43655",
          "url": "https://www.suse.com/security/cve/CVE-2023-43655"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1215859 for CVE-2023-43655",
          "url": "https://bugzilla.suse.com/1215859"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:php-composer2-2.6.4-1.1.aarch64",
            "openSUSE Tumbleweed:php-composer2-2.6.4-1.1.ppc64le",
            "openSUSE Tumbleweed:php-composer2-2.6.4-1.1.s390x",
            "openSUSE Tumbleweed:php-composer2-2.6.4-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:php-composer2-2.6.4-1.1.aarch64",
            "openSUSE Tumbleweed:php-composer2-2.6.4-1.1.ppc64le",
            "openSUSE Tumbleweed:php-composer2-2.6.4-1.1.s390x",
            "openSUSE Tumbleweed:php-composer2-2.6.4-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-43655"
    }
  ]
}

SUSE-SU-2023:4041-1

Vulnerability from csaf_suse - Published: 2023-10-10 16:29 - Updated: 2023-10-10 16:29

Summary

Security update for php-composer2

Notes

Title of the patch

Security update for php-composer2

Description of the patch

This update for php-composer2 fixes the following issues: - CVE-2023-43655: Fixed a remote code execution issue that could be triggered if users published a web-accessible composer.phar file (bsc#1215859).

Patchnames

SUSE-2023-4041,SUSE-SLE-Module-Web-Scripting-15-SP4-2023-4041,SUSE-SLE-Module-Web-Scripting-15-SP5-2023-4041,openSUSE-SLE-15.4-2023-4041,openSUSE-SLE-15.5-2023-4041

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for php-composer2",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for php-composer2 fixes the following issues:\n\n- CVE-2023-43655: Fixed a remote code execution issue that could be\n  triggered if users published a web-accessible composer.phar file\n  (bsc#1215859).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2023-4041,SUSE-SLE-Module-Web-Scripting-15-SP4-2023-4041,SUSE-SLE-Module-Web-Scripting-15-SP5-2023-4041,openSUSE-SLE-15.4-2023-4041,openSUSE-SLE-15.5-2023-4041",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2023_4041-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2023:4041-1",
        "url": "https://www.suse.com/support/update/announcement/2023/suse-su-20234041-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2023:4041-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2023-October/016625.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1215859",
        "url": "https://bugzilla.suse.com/1215859"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-43655 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-43655/"
      }
    ],
    "title": "Security update for php-composer2",
    "tracking": {
      "current_release_date": "2023-10-10T16:29:13Z",
      "generator": {
        "date": "2023-10-10T16:29:13Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2023:4041-1",
      "initial_release_date": "2023-10-10T16:29:13Z",
      "revision_history": [
        {
          "date": "2023-10-10T16:29:13Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "php-composer2-2.2.3-150400.3.6.1.noarch",
                "product": {
                  "name": "php-composer2-2.2.3-150400.3.6.1.noarch",
                  "product_id": "php-composer2-2.2.3-150400.3.6.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP4",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP4",
                  "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-web-scripting:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP5",
                  "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-web-scripting:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.4",
                "product": {
                  "name": "openSUSE Leap 15.4",
                  "product_id": "openSUSE Leap 15.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.5",
                "product": {
                  "name": "openSUSE Leap 15.5",
                  "product_id": "openSUSE Leap 15.5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.2.3-150400.3.6.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP4",
          "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP4:php-composer2-2.2.3-150400.3.6.1.noarch"
        },
        "product_reference": "php-composer2-2.2.3-150400.3.6.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.2.3-150400.3.6.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5",
          "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.6.1.noarch"
        },
        "product_reference": "php-composer2-2.2.3-150400.3.6.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.2.3-150400.3.6.1.noarch as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:php-composer2-2.2.3-150400.3.6.1.noarch"
        },
        "product_reference": "php-composer2-2.2.3-150400.3.6.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.2.3-150400.3.6.1.noarch as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.6.1.noarch"
        },
        "product_reference": "php-composer2-2.2.3-150400.3.6.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-43655",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-43655"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP4:php-composer2-2.2.3-150400.3.6.1.noarch",
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.6.1.noarch",
          "openSUSE Leap 15.4:php-composer2-2.2.3-150400.3.6.1.noarch",
          "openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.6.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-43655",
          "url": "https://www.suse.com/security/cve/CVE-2023-43655"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1215859 for CVE-2023-43655",
          "url": "https://bugzilla.suse.com/1215859"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP4:php-composer2-2.2.3-150400.3.6.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.6.1.noarch",
            "openSUSE Leap 15.4:php-composer2-2.2.3-150400.3.6.1.noarch",
            "openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.6.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP4:php-composer2-2.2.3-150400.3.6.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.6.1.noarch",
            "openSUSE Leap 15.4:php-composer2-2.2.3-150400.3.6.1.noarch",
            "openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.6.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2023-10-10T16:29:13Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-43655"
    }
  ]
}

FKIE_CVE-2023-43655

Vulnerability from fkie_nvd - Published: 2023-09-29 20:15 - Updated: 2025-04-23 17:31

Severity ?

6.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d	Patch
security-advisories@github.com	https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c	Patch
security-advisories@github.com	https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c	Patch
security-advisories@github.com	https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf	Vendor Advisory
security-advisories@github.com	https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html	Mailing List
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/	Mailing List, Third Party Advisory
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/	Mailing List, Third Party Advisory
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html	Mailing List
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/	Mailing List, Third Party Advisory

Impacted products

Vendor	Product	Version
getcomposer	composer	*
getcomposer	composer	*
getcomposer	composer	*
debian	debian_linux	10.0
fedoraproject	fedora	37
fedoraproject	fedora	38

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "66CB8B8A-9709-486A-BFA5-B92C4A11FA03",
              "versionEndExcluding": "1.10.27",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BFF216E8-6DB2-42E3-8AC8-A3F09E295E5C",
              "versionEndExcluding": "2.2.21",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "23A42BAC-CC39-4A97-9A3B-60654E18A061",
              "versionEndExcluding": "2.6.4",
              "versionStartIncluding": "2.3.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
              "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice."
    },
    {
      "lang": "es",
      "value": "Composer es un administrador de dependencias para PHP. Los usuarios que publican un composer.phar en un servidor p\u00fablico accesible desde la web donde se puede ejecutar el composer.phar como un archivo php pueden estar sujetos a una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo si PHP tambi\u00e9n tiene `register_argc_argv` habilitado en php.ini. Las versiones 2.6.4, 2.2.22 y 1.10.27 corrigen esta vulnerabilidad. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben asegurarse de que `register_argc_argv` est\u00e9 deshabilitado en php.ini y evitar publicar composer.phar en la web, ya que esta no es la mejor pr\u00e1ctica."
    }
  ],
  "id": "CVE-2023-43655",
  "lastModified": "2025-04-23T17:31:40.740",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.5,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-09-29T20:15:09.987",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-74"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-74"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-JM6M-4632-36HF

Vulnerability from github – Published: 2023-09-29 20:39 – Updated: 2025-02-13 19:15

Summary

Composer Remote Code Execution vulnerability via web-accessible composer.phar

Details

Impact

Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has register_argc_argv enabled in php.ini.

Patches

2.6.4, 2.2.22 and 1.10.27 patch this vulnerability.

Workarounds

Make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "composer/composer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "composer/composer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.2.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "composer/composer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-43655"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-29T20:39:21Z",
    "nvd_published_at": "2023-09-29T20:15:09Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nUsers publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has `register_argc_argv` enabled in php.ini.\n\n### Patches\n\n2.6.4, 2.2.22 and 1.10.27 patch this vulnerability.\n\n### Workarounds\n\nMake sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.",
  "id": "GHSA-jm6m-4632-36hf",
  "modified": "2025-02-13T19:15:08Z",
  "published": "2023-09-29T20:39:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43655"
    },
    {
      "type": "WEB",
      "url": "https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/composer/composer"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Composer Remote Code Execution vulnerability via web-accessible composer.phar"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-43655 (GCVE-0-2023-43655)

CERTFR-2023-AVI-0966

Solution

CERTFR-2023-AVI-0966

Solution

GSD-2023-43655

OPENSUSE-SU-2024:13290-1

SUSE-SU-2023:4041-1

FKIE_CVE-2023-43655

GHSA-JM6M-4632-36HF

Impact

Patches

Workarounds

Tags

Sightings

Nomenclature