Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-35241 (GCVE-0-2024-35241)
Vulnerability from cvelistv5 – Published: 2024-06-10 21:19 – Updated: 2025-04-21 15:20
VLAI
EPSS
Title
Composer vulnerable to command injection via malicious git branch name
Summary
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.
Severity
8.8 (High)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/composer/composer/security/adv… | x_refsource_CONFIRM |
| https://github.com/composer/composer/commit/b93fc… | x_refsource_MISC |
| https://github.com/composer/composer/commit/ee283… | x_refsource_MISC |
| https://lists.fedoraproject.org/archives/list/pac… | |
| https://lists.fedoraproject.org/archives/list/pac… |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*",
"cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fedora",
"vendor": "fedoraproject",
"versions": [
{
"status": "affected",
"version": "39"
},
{
"status": "affected",
"version": "40"
}
]
},
{
"cpes": [
"cpe:2.3:a:getcomposer:composer:2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "composer",
"vendor": "getcomposer",
"versions": [
{
"lessThan": "2.2.24",
"status": "affected",
"version": "2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:getcomposer:composer:2.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "composer",
"vendor": "getcomposer",
"versions": [
{
"lessThan": "2.7.7",
"status": "affected",
"version": "2.3",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35241",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T20:42:58.759423Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T20:43:01.084Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-04-21T15:20:35.089Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2024-35241-detect-composer-vulnerability"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2024-35241-mitigate-vulnerable-composer"
},
{
"name": "https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c"
},
{
"name": "https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4"
},
{
"name": "https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"product": "composer",
"vendor": "composer",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0, \u003c 2.2.24"
},
{
"status": "affected",
"version": "\u003e= 2.3, \u003c 2.7.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-20T03:05:52.267Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c"
},
{
"name": "https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4"
},
{
"name": "https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/"
}
],
"source": {
"advisory": "GHSA-47f6-5gq3-vx9c",
"discovery": "UNKNOWN"
},
"title": "Composer vulnerable to command injection via malicious git branch name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35241",
"datePublished": "2024-06-10T21:19:47.123Z",
"dateReserved": "2024-05-14T15:39:41.786Z",
"dateUpdated": "2025-04-21T15:20:35.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-35241",
"date": "2026-05-27",
"epss": "0.00442",
"percentile": "0.63462"
},
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.\\n\"}, {\"lang\": \"es\", \"value\": \"Composer es un administrador de dependencias para PHP. En la rama 2.x anterior a las versiones 2.2.24 y 2.7.7, los comandos `status`, `reinstall` y `remove` con paquetes instalados desde el c\\u00f3digo fuente a trav\\u00e9s de git que contienen nombres de ramas especialmente manipulados en el repositorio se pueden usar para ejecutar c\\u00f3digo. Los parches para este problema est\\u00e1n disponibles en la versi\\u00f3n 2.2.24 para 2.2 LTS o 2.7.7 para la l\\u00ednea principal. Como workaround, evite instalar dependencias a trav\\u00e9s de git usando `--prefer-dist` o la configuraci\\u00f3n de configuraci\\u00f3n `preferred-install: dist`.\"}]",
"id": "CVE-2024-35241",
"lastModified": "2024-11-21T09:20:00.293",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
"published": "2024-06-10T22:15:09.677",
"references": "[{\"url\": \"https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-77\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-35241\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-06-10T22:15:09.677\",\"lastModified\":\"2025-04-21T16:15:54.053\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.\"},{\"lang\":\"es\",\"value\":\"Composer es un administrador de dependencias para PHP. En la rama 2.x anterior a las versiones 2.2.24 y 2.7.7, los comandos `status`, `reinstall` y `remove` con paquetes instalados desde el c\u00f3digo fuente a trav\u00e9s de git que contienen nombres de ramas especialmente manipulados en el repositorio se pueden usar para ejecutar c\u00f3digo. Los parches para este problema est\u00e1n disponibles en la versi\u00f3n 2.2.24 para 2.2 LTS o 2.7.7 para la l\u00ednea principal. Como workaround, evite instalar dependencias a trav\u00e9s de git usando `--prefer-dist` o la configuraci\u00f3n de configuraci\u00f3n `preferred-install: dist`.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]}],\"references\":[{\"url\":\"https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.vicarius.io/vsociety/posts/cve-2024-35241-detect-composer-vulnerability\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.vicarius.io/vsociety/posts/cve-2024-35241-mitigate-vulnerable-composer\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.vicarius.io/vsociety/posts/cve-2024-35241-detect-composer-vulnerability\"}, {\"url\": \"https://www.vicarius.io/vsociety/posts/cve-2024-35241-mitigate-vulnerable-composer\"}, {\"url\": \"https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c\", \"name\": \"https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4\", \"name\": \"https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704\", \"name\": \"https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/\", \"tags\": [\"x_transferred\"]}], \"x_generator\": {\"engine\": \"ADPogram 0.0.1\"}, \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-04-21T15:20:35.089Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-35241\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-15T20:42:58.759423Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*\", \"cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*\"], \"vendor\": \"fedoraproject\", \"product\": \"fedora\", \"versions\": [{\"status\": \"affected\", \"version\": \"39\"}, {\"status\": \"affected\", \"version\": \"40\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:getcomposer:composer:2.0:*:*:*:*:*:*:*\"], \"vendor\": \"getcomposer\", \"product\": \"composer\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.0\", \"lessThan\": \"2.2.24\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:getcomposer:composer:2.3:*:*:*:*:*:*:*\"], \"vendor\": \"getcomposer\", \"product\": \"composer\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.3\", \"lessThan\": \"2.7.7\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-15T20:37:21.403Z\"}}], \"cna\": {\"title\": \"Composer vulnerable to command injection via malicious git branch name\", \"source\": {\"advisory\": \"GHSA-47f6-5gq3-vx9c\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"composer\", \"product\": \"composer\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.0, \u003c 2.2.24\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.3, \u003c 2.7.7\"}]}], \"references\": [{\"url\": \"https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c\", \"name\": \"https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4\", \"name\": \"https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704\", \"name\": \"https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-77\", \"description\": \"CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-06-20T03:05:52.267Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-35241\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-21T15:20:35.089Z\", \"dateReserved\": \"2024-05-14T15:39:41.786Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-06-10T21:19:47.123Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
CERTFR-2025-AVI-0836
Vulnerability from certfr_avis - Published: 2025-10-01 - Updated: 2025-10-01
De multiples vulnérabilités ont été découvertes dans Tenable Security Center. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Tenable | Security Center | Security Center sans le correctif de sécurité Patch SC-202509.2 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Security Center sans le correctif de s\u00e9curit\u00e9 Patch SC-202509.2",
"product": {
"name": "Security Center",
"vendor": {
"name": "Tenable",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-52806",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52806"
},
{
"name": "CVE-2024-24821",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24821"
},
{
"name": "CVE-2024-35241",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35241"
},
{
"name": "CVE-2024-51736",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-51736"
},
{
"name": "CVE-2024-45411",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45411"
},
{
"name": "CVE-2023-46734",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46734"
},
{
"name": "CVE-2024-51755",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-51755"
},
{
"name": "CVE-2024-50345",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50345"
},
{
"name": "CVE-2025-27773",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27773"
},
{
"name": "CVE-2024-35242",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35242"
},
{
"name": "CVE-2024-51754",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-51754"
}
],
"initial_release_date": "2025-10-01T00:00:00",
"last_revision_date": "2025-10-01T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0836",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-10-01T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Tenable Security Center. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Tenable",
"vendor_advisories": [
{
"published_at": "2025-09-26",
"title": "Bulletin de s\u00e9curit\u00e9 Tenable tns-2025-20",
"url": "https://www.tenable.com/security/tns-2025-20"
}
]
}
CERTFR-2025-AVI-0836
Vulnerability from certfr_avis - Published: 2025-10-01 - Updated: 2025-10-01
De multiples vulnérabilités ont été découvertes dans Tenable Security Center. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Tenable | Security Center | Security Center sans le correctif de sécurité Patch SC-202509.2 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Security Center sans le correctif de s\u00e9curit\u00e9 Patch SC-202509.2",
"product": {
"name": "Security Center",
"vendor": {
"name": "Tenable",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-52806",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52806"
},
{
"name": "CVE-2024-24821",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24821"
},
{
"name": "CVE-2024-35241",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35241"
},
{
"name": "CVE-2024-51736",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-51736"
},
{
"name": "CVE-2024-45411",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45411"
},
{
"name": "CVE-2023-46734",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46734"
},
{
"name": "CVE-2024-51755",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-51755"
},
{
"name": "CVE-2024-50345",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50345"
},
{
"name": "CVE-2025-27773",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27773"
},
{
"name": "CVE-2024-35242",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35242"
},
{
"name": "CVE-2024-51754",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-51754"
}
],
"initial_release_date": "2025-10-01T00:00:00",
"last_revision_date": "2025-10-01T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0836",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-10-01T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Tenable Security Center. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Tenable",
"vendor_advisories": [
{
"published_at": "2025-09-26",
"title": "Bulletin de s\u00e9curit\u00e9 Tenable tns-2025-20",
"url": "https://www.tenable.com/security/tns-2025-20"
}
]
}
BDU:2024-04878
Vulnerability from fstec - Published: 10.06.2024
VLAI
Title
Уязвимость функции getUnpushedChanges() менеджера зависимостей для PHP Composer, позволяющая нарушителю выполнить произвольные команды
Description
Уязвимость функции getUnpushedChanges() менеджера зависимостей для PHP Composer связана с неправильной нейтрализацией специальных элементов. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольные команды с помощью команд `status`, `reinstall` и `remove`
Severity
Vendor
ООО «Ред Софт», ООО «РусБИТех-Астра», Nils Adermann, Jordi Boggiano, АО "НППКТ"
Software Name
РЕД ОС (запись в едином реестре российских программ №3751), Astra Linux Special Edition (запись в едином реестре российских программ №369), Astra Linux Common Edition (запись в едином реестре российских программ №4433), Composer, ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913)
Software Version
7.3 (РЕД ОС), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), 1.6 «Смоленск» (Astra Linux Common Edition), до 2.2.24 (Composer), до 2.7.7 (Composer), до 2.11 (ОСОН ОСнова Оnyx), 1.8 (Astra Linux Special Edition)
Possible Mitigations
Для Composer:
https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4
https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704
https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c
Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Для ОСОН ОСнова Оnyx (2.11):
Обновление программного обеспечения composer до версии 1.8.4-1+deb10u4
Для ОС Astra Linux:
обновить пакет composer до 1.8.4-1+deb10u4 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2024-0830SE17
Для ОС Astra Linux Special Edition 1.8:
обновить пакет composer до 2.5.5-1+deb12u2.astra1 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se18-bulletin-2024-0905SE18MD
Для Astra Linux Special Edition 4.7 для архитектуры ARM:
обновить пакет composer до 1.8.4-1+deb10u4 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-1031SE47
Для ОС Astra Linux:
обновить пакет composer до 1.2.2-1+deb9u3 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20251225SE16
Reference
https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4
https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704
https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c
https://redos.red-soft.ru/support/secure/
https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.11/
https://wiki.astralinux.ru/astra-linux-se17-bulletin-2024-0830SE17
https://wiki.astralinux.ru/astra-linux-se18-bulletin-2024-0905SE18MD
https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-1031SE47
https://wiki.astralinux.ru/astra-linux-se16-bulletin-20251225SE16
CWE
CWE-77
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, Nils Adermann, Jordi Boggiano, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\"",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Common Edition), \u0434\u043e 2.2.24 (Composer), \u0434\u043e 2.7.7 (Composer), \u0434\u043e 2.11 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), 1.8 (Astra Linux Special Edition)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0414\u043b\u044f Composer:\nhttps://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4 \nhttps://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704 \nhttps://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (2.11):\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f composer \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 1.8.4-1+deb10u4\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 composer \u0434\u043e 1.8.4-1+deb10u4 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2024-0830SE17\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux Special Edition 1.8:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 composer \u0434\u043e 2.5.5-1+deb12u2.astra1 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se18-bulletin-2024-0905SE18MD\n\n\u0414\u043b\u044f Astra Linux Special Edition 4.7 \u0434\u043b\u044f \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b ARM:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 composer \u0434\u043e 1.8.4-1+deb10u4 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-1031SE47\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 composer \u0434\u043e 1.2.2-1+deb9u3 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20251225SE16",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "10.06.2024",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "20.01.2026",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "28.06.2024",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-04878",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2024-35241",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Astra Linux Common Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), Composer, \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.7 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 4.7 ARM (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Common Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.11 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.8 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 getUnpushedChanges() \u043c\u0435\u043d\u0435\u0434\u0436\u0435\u0440\u0430 \u0437\u0430\u0432\u0438\u0441\u0438\u043c\u043e\u0441\u0442\u0435\u0439 \u0434\u043b\u044f PHP Composer, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435 \u043c\u0435\u0440 \u043f\u043e \u0447\u0438\u0441\u0442\u043a\u0435 \u0434\u0430\u043d\u043d\u044b\u0445 \u043d\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u044e\u0449\u0435\u043c \u0443\u0440\u043e\u0432\u043d\u0435 (\u0412\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 \u0432 \u043a\u043e\u043c\u0430\u043d\u0434\u0443) (CWE-77)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 getUnpushedChanges() \u043c\u0435\u043d\u0435\u0434\u0436\u0435\u0440\u0430 \u0437\u0430\u0432\u0438\u0441\u0438\u043c\u043e\u0441\u0442\u0435\u0439 \u0434\u043b\u044f PHP Composer \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0439 \u043d\u0435\u0439\u0442\u0440\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0435\u0439 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0445 \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u043e\u0432. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043a\u043e\u043c\u0430\u043d\u0434 `status`, `reinstall` \u0438 `remove`",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4\nhttps://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704\nhttps://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c\nhttps://redos.red-soft.ru/support/secure/\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.11/\nhttps://wiki.astralinux.ru/astra-linux-se17-bulletin-2024-0830SE17\nhttps://wiki.astralinux.ru/astra-linux-se18-bulletin-2024-0905SE18MD\nhttps://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-1031SE47\nhttps://wiki.astralinux.ru/astra-linux-se16-bulletin-20251225SE16",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-77",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,8)"
}
bit-composer-2024-35241
Vulnerability from bitnami_vulndb
Published
2024-06-12 07:16
Modified
2025-05-20 10:02
Summary
Composer vulnerable to command injection via malicious git branch name
Details
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "composer",
"purl": "pkg:bitnami/composer"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.2.24"
},
{
"introduced": "2.3.0"
},
{
"fixed": "2.7.7"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2024-35241"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*",
"cpe:2.3:a:getcomposer:composer:*:*:*:*:*:php:*:*"
],
"severity": "High"
},
"details": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.",
"id": "BIT-composer-2024-35241",
"modified": "2025-05-20T10:02:07.006Z",
"published": "2024-06-12T07:16:36.198Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4"
},
{
"type": "WEB",
"url": "https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704"
},
{
"type": "WEB",
"url": "https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35241"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2024-35241-detect-composer-vulnerability"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2024-35241-mitigate-vulnerable-composer"
}
],
"schema_version": "1.5.0",
"summary": "Composer vulnerable to command injection via malicious git branch name"
}
FKIE_CVE-2024-35241
Vulnerability from fkie_nvd - Published: 2024-06-10 22:15 - Updated: 2026-04-15 00:35
Severity
Summary
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting."
},
{
"lang": "es",
"value": "Composer es un administrador de dependencias para PHP. En la rama 2.x anterior a las versiones 2.2.24 y 2.7.7, los comandos `status`, `reinstall` y `remove` con paquetes instalados desde el c\u00f3digo fuente a trav\u00e9s de git que contienen nombres de ramas especialmente manipulados en el repositorio se pueden usar para ejecutar c\u00f3digo. Los parches para este problema est\u00e1n disponibles en la versi\u00f3n 2.2.24 para 2.2 LTS o 2.7.7 para la l\u00ednea principal. Como workaround, evite instalar dependencias a trav\u00e9s de git usando `--prefer-dist` o la configuraci\u00f3n de configuraci\u00f3n `preferred-install: dist`."
}
],
"id": "CVE-2024-35241",
"lastModified": "2026-04-15T00:35:42.020",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-06-10T22:15:09.677",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.vicarius.io/vsociety/posts/cve-2024-35241-detect-composer-vulnerability"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.vicarius.io/vsociety/posts/cve-2024-35241-mitigate-vulnerable-composer"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-47F6-5GQ3-VX9C
Vulnerability from github – Published: 2024-06-10 21:36 – Updated: 2025-04-23 14:38
VLAI
Summary
Composer has a command injection via malicious git branch name
Details
Impact
The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.
Patches
2.2.24 for 2.2 LTS or 2.7.7 for mainline
Workarounds
Avoid installing dependencies via git by using --prefer-dist or the preferred-install: dist config setting.
Severity
8.8 (High)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "composer/composer"
},
"ranges": [
{
"events": [
{
"introduced": "2.0"
},
{
"fixed": "2.2.24"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "composer/composer"
},
"ranges": [
{
"events": [
{
"introduced": "2.3"
},
{
"fixed": "2.7.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-35241"
],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-10T21:36:32Z",
"nvd_published_at": "2024-06-10T22:15:09Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThe `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.\n\n### Patches\n\n2.2.24 for 2.2 LTS or 2.7.7 for mainline\n\n### Workarounds\n\nAvoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.",
"id": "GHSA-47f6-5gq3-vx9c",
"modified": "2025-04-23T14:38:49Z",
"published": "2024-06-10T21:36:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35241"
},
{
"type": "WEB",
"url": "https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4"
},
{
"type": "WEB",
"url": "https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704"
},
{
"type": "PACKAGE",
"url": "https://github.com/composer/composer"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2024-35241-detect-composer-vulnerability"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2024-35241-mitigate-vulnerable-composer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Composer has a command injection via malicious git branch name"
}
OPENSUSE-SU-2024:14040-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
php-composer2-2.7.7-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: php-composer2-2.7.7-1.1 on GA media
Description of the patch: These are all security issues fixed in the php-composer2-2.7.7-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14040
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:php-composer2-2.7.7-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:php-composer2-2.7.7-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:php-composer2-2.7.7-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:php-composer2-2.7.7-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:php-composer2-2.7.7-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:php-composer2-2.7.7-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:php-composer2-2.7.7-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:php-composer2-2.7.7-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "php-composer2-2.7.7-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the php-composer2-2.7.7-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14040",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14040-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-35241 page",
"url": "https://www.suse.com/security/cve/CVE-2024-35241/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-35242 page",
"url": "https://www.suse.com/security/cve/CVE-2024-35242/"
}
],
"title": "php-composer2-2.7.7-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14040-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "php-composer2-2.7.7-1.1.aarch64",
"product": {
"name": "php-composer2-2.7.7-1.1.aarch64",
"product_id": "php-composer2-2.7.7-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "php-composer2-2.7.7-1.1.ppc64le",
"product": {
"name": "php-composer2-2.7.7-1.1.ppc64le",
"product_id": "php-composer2-2.7.7-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "php-composer2-2.7.7-1.1.s390x",
"product": {
"name": "php-composer2-2.7.7-1.1.s390x",
"product_id": "php-composer2-2.7.7-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "php-composer2-2.7.7-1.1.x86_64",
"product": {
"name": "php-composer2-2.7.7-1.1.x86_64",
"product_id": "php-composer2-2.7.7-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.7.7-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:php-composer2-2.7.7-1.1.aarch64"
},
"product_reference": "php-composer2-2.7.7-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.7.7-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:php-composer2-2.7.7-1.1.ppc64le"
},
"product_reference": "php-composer2-2.7.7-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.7.7-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:php-composer2-2.7.7-1.1.s390x"
},
"product_reference": "php-composer2-2.7.7-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.7.7-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:php-composer2-2.7.7-1.1.x86_64"
},
"product_reference": "php-composer2-2.7.7-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-35241",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-35241"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.\n",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.aarch64",
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.ppc64le",
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.s390x",
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-35241",
"url": "https://www.suse.com/security/cve/CVE-2024-35241"
},
{
"category": "external",
"summary": "SUSE Bug 1226181 for CVE-2024-35241",
"url": "https://bugzilla.suse.com/1226181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.aarch64",
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.ppc64le",
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.s390x",
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.aarch64",
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.ppc64le",
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.s390x",
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-35241"
},
{
"cve": "CVE-2024-35242",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-35242"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.\n",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.aarch64",
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.ppc64le",
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.s390x",
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-35242",
"url": "https://www.suse.com/security/cve/CVE-2024-35242"
},
{
"category": "external",
"summary": "SUSE Bug 1226182 for CVE-2024-35242",
"url": "https://bugzilla.suse.com/1226182"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.aarch64",
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.ppc64le",
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.s390x",
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.aarch64",
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.ppc64le",
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.s390x",
"openSUSE Tumbleweed:php-composer2-2.7.7-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-35242"
}
]
}
SUSE-SU-2024:2106-1
Vulnerability from csaf_suse - Published: 2024-06-20 14:19 - Updated: 2024-06-20 14:19Summary
Security update for php-composer2
Severity
Important
Notes
Title of the patch: Security update for php-composer2
Description of the patch: This update for php-composer2 fixes the following issues:
- CVE-2024-35241: Fixed code execution when installing packages in repository with specially crafted branch names (bsc#1226181).
- CVE-2024-35242: Fixed command injection via specially crafted branch names during repository cloning (bsc#1226182).
Patchnames: SUSE-2024-2106,SUSE-SLE-Module-Web-Scripting-15-SP5-2024-2106,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-2106,SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-2106,SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-2106,SUSE-SLE-Product-SLES_SAP-15-SP4-2024-2106,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-2106,openSUSE-SLE-15.5-2024-2106
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.3-150400.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.3-150400.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server 4.3:php-composer2-2.2.3-150400.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.12.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.3-150400.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.3-150400.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server 4.3:php-composer2-2.2.3-150400.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.12.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for php-composer2",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for php-composer2 fixes the following issues:\n\n- CVE-2024-35241: Fixed code execution when installing packages in repository with specially crafted branch names (bsc#1226181).\n- CVE-2024-35242: Fixed command injection via specially crafted branch names during repository cloning (bsc#1226182).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2024-2106,SUSE-SLE-Module-Web-Scripting-15-SP5-2024-2106,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-2106,SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-2106,SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-2106,SUSE-SLE-Product-SLES_SAP-15-SP4-2024-2106,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-2106,openSUSE-SLE-15.5-2024-2106",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_2106-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2024:2106-1",
"url": "https://www.suse.com/support/update/announcement/2024/suse-su-20242106-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2024:2106-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018770.html"
},
{
"category": "self",
"summary": "SUSE Bug 1226181",
"url": "https://bugzilla.suse.com/1226181"
},
{
"category": "self",
"summary": "SUSE Bug 1226182",
"url": "https://bugzilla.suse.com/1226182"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-35241 page",
"url": "https://www.suse.com/security/cve/CVE-2024-35241/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-35242 page",
"url": "https://www.suse.com/security/cve/CVE-2024-35242/"
}
],
"title": "Security update for php-composer2",
"tracking": {
"current_release_date": "2024-06-20T14:19:04Z",
"generator": {
"date": "2024-06-20T14:19:04Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2024:2106-1",
"initial_release_date": "2024-06-20T14:19:04Z",
"revision_history": [
{
"date": "2024-06-20T14:19:04Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "php-composer2-2.2.3-150400.3.12.1.noarch",
"product": {
"name": "php-composer2-2.2.3-150400.3.12.1.noarch",
"product_id": "php-composer2-2.2.3-150400.3.12.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-web-scripting:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Manager Server 4.3",
"product": {
"name": "SUSE Manager Server 4.3",
"product_id": "SUSE Manager Server 4.3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-manager-server:4.3"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.3-150400.3.12.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.12.1.noarch"
},
"product_reference": "php-composer2-2.2.3-150400.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.3-150400.3.12.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.3-150400.3.12.1.noarch"
},
"product_reference": "php-composer2-2.2.3-150400.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.3-150400.3.12.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch"
},
"product_reference": "php-composer2-2.2.3-150400.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.3-150400.3.12.1.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch"
},
"product_reference": "php-composer2-2.2.3-150400.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.3-150400.3.12.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.3-150400.3.12.1.noarch"
},
"product_reference": "php-composer2-2.2.3-150400.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.3-150400.3.12.1.noarch as component of SUSE Manager Server 4.3",
"product_id": "SUSE Manager Server 4.3:php-composer2-2.2.3-150400.3.12.1.noarch"
},
"product_reference": "php-composer2-2.2.3-150400.3.12.1.noarch",
"relates_to_product_reference": "SUSE Manager Server 4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.3-150400.3.12.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.12.1.noarch"
},
"product_reference": "php-composer2-2.2.3-150400.3.12.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-35241",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-35241"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Manager Server 4.3:php-composer2-2.2.3-150400.3.12.1.noarch",
"openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.12.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-35241",
"url": "https://www.suse.com/security/cve/CVE-2024-35241"
},
{
"category": "external",
"summary": "SUSE Bug 1226181 for CVE-2024-35241",
"url": "https://bugzilla.suse.com/1226181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Manager Server 4.3:php-composer2-2.2.3-150400.3.12.1.noarch",
"openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.12.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Manager Server 4.3:php-composer2-2.2.3-150400.3.12.1.noarch",
"openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.12.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-20T14:19:04Z",
"details": "important"
}
],
"title": "CVE-2024-35241"
},
{
"cve": "CVE-2024-35242",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-35242"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Manager Server 4.3:php-composer2-2.2.3-150400.3.12.1.noarch",
"openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.12.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-35242",
"url": "https://www.suse.com/security/cve/CVE-2024-35242"
},
{
"category": "external",
"summary": "SUSE Bug 1226182 for CVE-2024-35242",
"url": "https://bugzilla.suse.com/1226182"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Manager Server 4.3:php-composer2-2.2.3-150400.3.12.1.noarch",
"openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.12.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP5:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.3-150400.3.12.1.noarch",
"SUSE Manager Server 4.3:php-composer2-2.2.3-150400.3.12.1.noarch",
"openSUSE Leap 15.5:php-composer2-2.2.3-150400.3.12.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-20T14:19:04Z",
"details": "important"
}
],
"title": "CVE-2024-35242"
}
]
}
SUSE-SU-2024:2107-1
Vulnerability from csaf_suse - Published: 2024-06-20 15:33 - Updated: 2024-06-20 15:33Summary
Security update for php-composer2
Severity
Important
Notes
Title of the patch: Security update for php-composer2
Description of the patch: This update for php-composer2 fixes the following issues:
- CVE-2024-35241: Fixed code execution when installing packages in repository with specially crafted branch names (bsc#1226181).
- CVE-2024-35242: Fixed command injection via specially crafted branch names during repository cloning (bsc#1226182).
Patchnames: SUSE-2024-2107,SUSE-SLE-Module-Web-Scripting-15-SP6-2024-2107,openSUSE-SLE-15.6-2024-2107
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP6:php-composer2-2.6.4-150600.3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:php-composer2-2.6.4-150600.3.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP6:php-composer2-2.6.4-150600.3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:php-composer2-2.6.4-150600.3.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for php-composer2",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for php-composer2 fixes the following issues:\n\n- CVE-2024-35241: Fixed code execution when installing packages in repository with specially crafted branch names (bsc#1226181).\n- CVE-2024-35242: Fixed command injection via specially crafted branch names during repository cloning (bsc#1226182).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2024-2107,SUSE-SLE-Module-Web-Scripting-15-SP6-2024-2107,openSUSE-SLE-15.6-2024-2107",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_2107-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2024:2107-1",
"url": "https://www.suse.com/support/update/announcement/2024/suse-su-20242107-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2024:2107-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018769.html"
},
{
"category": "self",
"summary": "SUSE Bug 1226181",
"url": "https://bugzilla.suse.com/1226181"
},
{
"category": "self",
"summary": "SUSE Bug 1226182",
"url": "https://bugzilla.suse.com/1226182"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-35241 page",
"url": "https://www.suse.com/security/cve/CVE-2024-35241/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-35242 page",
"url": "https://www.suse.com/security/cve/CVE-2024-35242/"
}
],
"title": "Security update for php-composer2",
"tracking": {
"current_release_date": "2024-06-20T15:33:36Z",
"generator": {
"date": "2024-06-20T15:33:36Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2024:2107-1",
"initial_release_date": "2024-06-20T15:33:36Z",
"revision_history": [
{
"date": "2024-06-20T15:33:36Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "php-composer2-2.6.4-150600.3.3.1.noarch",
"product": {
"name": "php-composer2-2.6.4-150600.3.3.1.noarch",
"product_id": "php-composer2-2.6.4-150600.3.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-web-scripting:15:sp6"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.6.4-150600.3.3.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:php-composer2-2.6.4-150600.3.3.1.noarch"
},
"product_reference": "php-composer2-2.6.4-150600.3.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.6.4-150600.3.3.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:php-composer2-2.6.4-150600.3.3.1.noarch"
},
"product_reference": "php-composer2-2.6.4-150600.3.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-35241",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-35241"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP6:php-composer2-2.6.4-150600.3.3.1.noarch",
"openSUSE Leap 15.6:php-composer2-2.6.4-150600.3.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-35241",
"url": "https://www.suse.com/security/cve/CVE-2024-35241"
},
{
"category": "external",
"summary": "SUSE Bug 1226181 for CVE-2024-35241",
"url": "https://bugzilla.suse.com/1226181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP6:php-composer2-2.6.4-150600.3.3.1.noarch",
"openSUSE Leap 15.6:php-composer2-2.6.4-150600.3.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP6:php-composer2-2.6.4-150600.3.3.1.noarch",
"openSUSE Leap 15.6:php-composer2-2.6.4-150600.3.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-20T15:33:36Z",
"details": "important"
}
],
"title": "CVE-2024-35241"
},
{
"cve": "CVE-2024-35242",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-35242"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP6:php-composer2-2.6.4-150600.3.3.1.noarch",
"openSUSE Leap 15.6:php-composer2-2.6.4-150600.3.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-35242",
"url": "https://www.suse.com/security/cve/CVE-2024-35242"
},
{
"category": "external",
"summary": "SUSE Bug 1226182 for CVE-2024-35242",
"url": "https://bugzilla.suse.com/1226182"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP6:php-composer2-2.6.4-150600.3.3.1.noarch",
"openSUSE Leap 15.6:php-composer2-2.6.4-150600.3.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP6:php-composer2-2.6.4-150600.3.3.1.noarch",
"openSUSE Leap 15.6:php-composer2-2.6.4-150600.3.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-20T15:33:36Z",
"details": "important"
}
],
"title": "CVE-2024-35242"
}
]
}
SUSE-SU-2026:1970-1
Vulnerability from csaf_suse - Published: 2026-05-18 08:16 - Updated: 2026-05-18 08:16Summary
Security update for php-composer2
Severity
Important
Notes
Title of the patch: Security update for php-composer2
Description of the patch: This update for php-composer2 fixes the following issues
- CVE-2026-40176: command injection via malicious Perforce repository definition (bsc#1262254).
- CVE-2026-40261: command injection via malicious Perforce source reference/url (bsc#1262255).
Changes for php-composer2:
- version update to 2.2.27 (align with upstream LTS version)
* Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do
not cause issues (246f807b, 246f807b, 246f807b)
* Security: Fixed Perforce unescaped user input in queryP4User shell command (246f807b)
* Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (21ffece62)
* Fixed issue handling paths with = in them on Windows (#11568)
- version 2.2.26 2025-12-30
* Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)
- version 2.2.25 2024-12-11
* Fixed deprecation notices appearing on this LTS version in case it is used on modern PHP. Modern PHP support
is not guaranteed nor tested for though and the main purpose of LTS releases is legacy PHP versions support. (#12217)
* Fixed issue on plugin upgrade when it defines multiple classes (#12226)
* Fixed duplicate errors appearing in the output depending on php settings (#12214)
* Fixed InstalledVersions returning duplicate data in some instances (#12225)
- version 2.2.24 2024-06-10
* Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
* Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
* Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
* Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
* Security: Fixed perforce argument escaping (3773f775)
* Security: Fixed handling of zip bombs when extracting archives (de5f7e32)
* Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding
* conversion (3130a7455, 04a63b324)
- version 2.2.23 2024-02-08
* Security: Fixed code execution and possible privilege escalation via compromised vendor
dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)
- version 2.2.22 2023-09-29
* Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP,
and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
* Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)
* Fixed handling of broken junctions on windows (#11550)
* Fixed loading of root aliases on path repo packages when doing partial updates (#11632)
* Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#11534)
* Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)
* Fixed support for plugin classes being marked as readonly (#11404)
* Fixed GitHub rate limit reporting (#11366)
* Fixed issue displaying solver problems with branch names containing % signs (#11359)
- version 2.2.21 2023-02-15
* Fixed extra.plugin-optional support in PluginInstaller when doing pre-install checks (#11326)
- version 2.2.20 2023-02-10
* Added extra.plugin-optional support for allow auto-disabling unknown plugins which are not critical when
running non-interactive (#11315)
- version 2.2.19 2023-02-04
* Fixed URL sanitizer to handle new GitHub personal access tokens format (#11137)
* Fixed cache keys to allow _ to avoid conflicts between package names like a-b and a_b (#11229)
* Fixed handling of --ignore-platform-req with upper-bound ignores to not apply to conflict rules (#11037)
* Fixed handling of COMPOSER_DISCARD_CHANGES when set to 0
- version 2.2.18 2022-08-20
* Fixed COMPOSER_NO_DEV so it also works with require and remove's --update-no-dev (#10995)
* Fixed duplicate missing extension warnings being displayed (#10938)
* Fixed hg version detection (#10955)
* Fixed git cache invalidation issue when a git tag gets created after the cache has loaded a given reference (#11004)
- version 2.2.17 2022-07-13
* Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target
directory is outside of CWD (#10935)
* Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if
not in allow-plugins, as they are anyway not loaded (#10928)
* Fixed pre-install check for allowed plugins not taking --no-plugins into account (#10925)
* Fixed support for disable_functions containing disk_free_space (#10936)
* Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#10940)
- version 2.2.16 2022-07-05
* Fixed non-interactive behavior of allow-plugins to throw instead of continue with a warning to avoid broken installs (#10920)
* Fixed allow-plugins BC mode to ensure old lock files created pre-2.2 can be installed with only a warning but
plugins fully loaded (#10920)
* Fixed deprecation notice (#10921)
- version 2.2.15 2022-07-01
* Fixed support for cache-read-only where the filesystem is not writable (#10906)
* Fixed type error when using allow-plugins: true (#10909)
* Fixed @putenv scripts receiving arguments passed to the command (#10846)
* Fixed support for spaces in paths with binary proxies on Windows (#10836)
* Fixed type error in GitDownloader if branches cannot be listed (#10888)
* Fixed RootPackageInterface issue on PHP 5.3.3 (#10895)
- version 2.2.14 2022-06-06
* Fixed handling of broken symlinks when checking whether a package is still installed (#6708)
* Fixed JSON schema regex pattern for name to be JS compatible (#10811)
* Fixed bin proxies to allow a proxy to include another one safely (#10823)
* Fixed gitlab-token JSON schema definition (#10800)
* Fixed openssl 3.x version parsing as it is now semver compliant
* Fixed type error when a json file cannot be read (#10818)
* Fixed parsing of multi-line arrays in funding.yml (#10784)
- version 2.2.13 2022-05-25
* Fixed invalid credentials loop when setting up GitLab token (#10748)
* Fixed PHP 8.2 deprecations (#10766)
* Fixed lock file changes being output even when the lock file creation is disabled
* Fixed race condition when multiple requests asking for auth on the same hostname fired concurrently (#10763)
* Fixed quoting of commas on Windows (#10775)
* Fixed issue installing path repos with a disabled symlink function (#10786)
- version 2.2.12 2022-04-13
* Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)
* Fixed curl downloader not retrying when a DNS resolution failure occurs (#10716)
* Fixed composer.lock file still being used/read when the lock config option is disabled (#10726)
* Fixed validate command checking the lock file even if the lock option is disabled (#10723)
- version 2.2.11 2022-04-01
* Added missing config.bitbucket-oauth in composer-schema.json
* Added --2.2 flag to self-update to pin the Composer version to the 2.2 LTS range (#10682)
* Updated semver, jsonlint deps for minor fixes
* Fixed generation of autoload crashing if a package has a broken path (#10688)
* Removed dev-master=>dev-main alias from #10372 as it does not work when reloading from lock file and extracting dev deps (#10651)
- version 2.2.10 2022-03-29
* Fixed Bitbucket authorization detection due to API changes (#10657)
* Fixed validate command warning about dist/source keys if defined (#10655)
* Fixed deletion/handling of corrupted 0-bytes zip archives (#10666)
- version 2.2.9 2022-03-15
* Fixed regression with plugins that modify install path of packages, see docs if you are authoring such a plugin (#10621)
- version 2.2.8 2022-03-15
* Fixed files autoloading sort order to be fully deterministic (#10617)
* Fixed pool optimization pass edge cases (#10579)
* Fixed require command failing when self.version is used as constraint (#10593)
* Fixed --no-ansi / undecorated output still showing color in repo warnings (#10601)
* Performance improvement in pool optimization step (composer/semver#131)
- version 2.2.7 2022-02-25
* Allow installation together with composer/xdebug-handler ^3 (#10528)
* Fixed support for packages with no licenses in licenses command output (#10537)
* Fixed handling of allow-plugins: false which kept warning (#10530)
* Fixed enum parsing in classmap generation when the enum keyword is not lowercased (#10521)
* Fixed author parsing in init command requiring an email whereas the schema allows a name only (#10538)
* Fixed issues in require command when requiring packages which do not exist (but are provided by something else you require) (#10541)
* Performance improvement in pool optimization step (#10546)
- version 2.2.6 2022-02-04
* BC Break: due to an oversight, the COMPOSER_BIN_DIR env var for binaries added in Composer 2.2.2 had to be renamed
to COMPOSER_RUNTIME_BIN_DIR (#10512)
* Fixed enum parsing in classmap generation with syntax like enum foo:string without space after : (#10498)
* Fixed package search not urlencoding the input (#10500)
* Fixed reinstall command not firing pre-install-cmd/post-install-cmd events (#10514)
* Fixed edge case in path repositories where a symlink: true option would be ignored on old Windows and old PHP combos (#10482)
* Fixed test suite compatibility with latest symfony/console releases (#10499)
* Fixed some error reporting edge cases (#10484, #10451, #10493)
- version 2.2.5 2022-01-21
* Disabled composer/package-versions-deprecated by default as it can function using Composer\InstalledVersions at runtime (#10458)
* Fixed artifact repositories crashing if a phar file was present in the directory (#10406)
* Fixed binary proxy issue on PHP <8 when fseek is used on the proxied binary path (#10468)
* Fixed handling of non-string versions in package repositories metadata (#10470)
- version 2.2.4 2022-01-08
* Fixed handling of process timeout when running async processes during installation
* Fixed GitLab API handling when projects have a repository disabled (#10440)
* Fixed reading of environment variables (e.g. APPDATA) containing unicode characters to workaround a PHP bug on Windows (#10434)
* Fixed partial update issues with path repos missing if a path repo is required by a path repo (#10431)
* Fixed support for sourcing binaries via the new bin proxies (#10389)
* Fixed messaging when GitHub tokens need SSO authorization (#10432)
Patchnames: SUSE-2026-1970,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-1970,SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-1970,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-1970,SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-1970,SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-1970,SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-1970,SUSE-SLE-Product-SLES_SAP-15-SP4-2026-1970,SUSE-SLE-Product-SLES_SAP-15-SP5-2026-1970
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
6.4 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
7.8 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
7.8 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
31 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for php-composer2",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for php-composer2 fixes the following issues\n\n- CVE-2026-40176: command injection via malicious Perforce repository definition (bsc#1262254).\n- CVE-2026-40261: command injection via malicious Perforce source reference/url (bsc#1262255).\n\nChanges for php-composer2:\n\n- version update to 2.2.27 (align with upstream LTS version)\n * Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do\n not cause issues (246f807b, 246f807b, 246f807b)\n * Security: Fixed Perforce unescaped user input in queryP4User shell command (246f807b)\n * Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (21ffece62)\n * Fixed issue handling paths with = in them on Windows (#11568)\n- version 2.2.26 2025-12-30\n * Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)\n- version 2.2.25 2024-12-11\n * Fixed deprecation notices appearing on this LTS version in case it is used on modern PHP. Modern PHP support\n is not guaranteed nor tested for though and the main purpose of LTS releases is legacy PHP versions support. (#12217)\n * Fixed issue on plugin upgrade when it defines multiple classes (#12226)\n * Fixed duplicate errors appearing in the output depending on php settings (#12214)\n * Fixed InstalledVersions returning duplicate data in some instances (#12225)\n- version 2.2.24 2024-06-10\n * Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)\n * Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)\n * Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)\n * Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)\n * Security: Fixed perforce argument escaping (3773f775)\n * Security: Fixed handling of zip bombs when extracting archives (de5f7e32)\n * Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding\n * conversion (3130a7455, 04a63b324)\n- version 2.2.23 2024-02-08\n * Security: Fixed code execution and possible privilege escalation via compromised vendor\n dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)\n- version 2.2.22 2023-09-29\n * Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP,\n and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)\n * Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)\n * Fixed handling of broken junctions on windows (#11550)\n * Fixed loading of root aliases on path repo packages when doing partial updates (#11632)\n * Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#11534)\n * Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)\n * Fixed support for plugin classes being marked as readonly (#11404)\n * Fixed GitHub rate limit reporting (#11366)\n * Fixed issue displaying solver problems with branch names containing % signs (#11359)\n- version 2.2.21 2023-02-15\n * Fixed extra.plugin-optional support in PluginInstaller when doing pre-install checks (#11326)\n- version 2.2.20 2023-02-10\n * Added extra.plugin-optional support for allow auto-disabling unknown plugins which are not critical when\n running non-interactive (#11315)\n- version 2.2.19 2023-02-04\n * Fixed URL sanitizer to handle new GitHub personal access tokens format (#11137)\n * Fixed cache keys to allow _ to avoid conflicts between package names like a-b and a_b (#11229)\n * Fixed handling of --ignore-platform-req with upper-bound ignores to not apply to conflict rules (#11037)\n * Fixed handling of COMPOSER_DISCARD_CHANGES when set to 0\n- version 2.2.18 2022-08-20\n * Fixed COMPOSER_NO_DEV so it also works with require and remove\u0027s --update-no-dev (#10995)\n * Fixed duplicate missing extension warnings being displayed (#10938)\n * Fixed hg version detection (#10955)\n * Fixed git cache invalidation issue when a git tag gets created after the cache has loaded a given reference (#11004)\n- version 2.2.17 2022-07-13\n * Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target\n directory is outside of CWD (#10935)\n * Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if\n not in allow-plugins, as they are anyway not loaded (#10928)\n * Fixed pre-install check for allowed plugins not taking --no-plugins into account (#10925)\n * Fixed support for disable_functions containing disk_free_space (#10936)\n * Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#10940)\n- version 2.2.16 2022-07-05\n * Fixed non-interactive behavior of allow-plugins to throw instead of continue with a warning to avoid broken installs (#10920)\n * Fixed allow-plugins BC mode to ensure old lock files created pre-2.2 can be installed with only a warning but\n plugins fully loaded (#10920)\n * Fixed deprecation notice (#10921)\n- version 2.2.15 2022-07-01\n * Fixed support for cache-read-only where the filesystem is not writable (#10906)\n * Fixed type error when using allow-plugins: true (#10909)\n * Fixed @putenv scripts receiving arguments passed to the command (#10846)\n * Fixed support for spaces in paths with binary proxies on Windows (#10836)\n * Fixed type error in GitDownloader if branches cannot be listed (#10888)\n * Fixed RootPackageInterface issue on PHP 5.3.3 (#10895)\n- version 2.2.14 2022-06-06\n * Fixed handling of broken symlinks when checking whether a package is still installed (#6708)\n * Fixed JSON schema regex pattern for name to be JS compatible (#10811)\n * Fixed bin proxies to allow a proxy to include another one safely (#10823)\n * Fixed gitlab-token JSON schema definition (#10800)\n * Fixed openssl 3.x version parsing as it is now semver compliant\n * Fixed type error when a json file cannot be read (#10818)\n * Fixed parsing of multi-line arrays in funding.yml (#10784)\n- version 2.2.13 2022-05-25\n * Fixed invalid credentials loop when setting up GitLab token (#10748)\n * Fixed PHP 8.2 deprecations (#10766)\n * Fixed lock file changes being output even when the lock file creation is disabled\n * Fixed race condition when multiple requests asking for auth on the same hostname fired concurrently (#10763)\n * Fixed quoting of commas on Windows (#10775)\n * Fixed issue installing path repos with a disabled symlink function (#10786)\n- version 2.2.12 2022-04-13\n * Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)\n * Fixed curl downloader not retrying when a DNS resolution failure occurs (#10716)\n * Fixed composer.lock file still being used/read when the lock config option is disabled (#10726)\n * Fixed validate command checking the lock file even if the lock option is disabled (#10723)\n- version 2.2.11 2022-04-01\n * Added missing config.bitbucket-oauth in composer-schema.json\n * Added --2.2 flag to self-update to pin the Composer version to the 2.2 LTS range (#10682)\n * Updated semver, jsonlint deps for minor fixes\n * Fixed generation of autoload crashing if a package has a broken path (#10688)\n * Removed dev-master=\u003edev-main alias from #10372 as it does not work when reloading from lock file and extracting dev deps (#10651)\n- version 2.2.10 2022-03-29\n * Fixed Bitbucket authorization detection due to API changes (#10657)\n * Fixed validate command warning about dist/source keys if defined (#10655)\n * Fixed deletion/handling of corrupted 0-bytes zip archives (#10666)\n- version 2.2.9 2022-03-15\n * Fixed regression with plugins that modify install path of packages, see docs if you are authoring such a plugin (#10621)\n- version 2.2.8 2022-03-15\n * Fixed files autoloading sort order to be fully deterministic (#10617)\n * Fixed pool optimization pass edge cases (#10579)\n * Fixed require command failing when self.version is used as constraint (#10593)\n * Fixed --no-ansi / undecorated output still showing color in repo warnings (#10601)\n * Performance improvement in pool optimization step (composer/semver#131)\n- version 2.2.7 2022-02-25\n * Allow installation together with composer/xdebug-handler ^3 (#10528)\n * Fixed support for packages with no licenses in licenses command output (#10537)\n * Fixed handling of allow-plugins: false which kept warning (#10530)\n * Fixed enum parsing in classmap generation when the enum keyword is not lowercased (#10521)\n * Fixed author parsing in init command requiring an email whereas the schema allows a name only (#10538)\n * Fixed issues in require command when requiring packages which do not exist (but are provided by something else you require) (#10541)\n * Performance improvement in pool optimization step (#10546)\n- version 2.2.6 2022-02-04\n * BC Break: due to an oversight, the COMPOSER_BIN_DIR env var for binaries added in Composer 2.2.2 had to be renamed\n to COMPOSER_RUNTIME_BIN_DIR (#10512)\n * Fixed enum parsing in classmap generation with syntax like enum foo:string without space after : (#10498)\n * Fixed package search not urlencoding the input (#10500)\n * Fixed reinstall command not firing pre-install-cmd/post-install-cmd events (#10514)\n * Fixed edge case in path repositories where a symlink: true option would be ignored on old Windows and old PHP combos (#10482)\n * Fixed test suite compatibility with latest symfony/console releases (#10499)\n * Fixed some error reporting edge cases (#10484, #10451, #10493)\n- version 2.2.5 2022-01-21\n * Disabled composer/package-versions-deprecated by default as it can function using Composer\\InstalledVersions at runtime (#10458)\n * Fixed artifact repositories crashing if a phar file was present in the directory (#10406)\n * Fixed binary proxy issue on PHP \u003c8 when fseek is used on the proxied binary path (#10468)\n * Fixed handling of non-string versions in package repositories metadata (#10470)\n- version 2.2.4 2022-01-08\n * Fixed handling of process timeout when running async processes during installation\n * Fixed GitLab API handling when projects have a repository disabled (#10440)\n * Fixed reading of environment variables (e.g. APPDATA) containing unicode characters to workaround a PHP bug on Windows (#10434)\n * Fixed partial update issues with path repos missing if a path repo is required by a path repo (#10431)\n * Fixed support for sourcing binaries via the new bin proxies (#10389)\n * Fixed messaging when GitHub tokens need SSO authorization (#10432)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-1970,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-1970,SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-1970,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-1970,SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-1970,SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-1970,SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-1970,SUSE-SLE-Product-SLES_SAP-15-SP4-2026-1970,SUSE-SLE-Product-SLES_SAP-15-SP5-2026-1970",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_1970-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:1970-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20261970-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:1970-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046554.html"
},
{
"category": "self",
"summary": "SUSE Bug 1262254",
"url": "https://bugzilla.suse.com/1262254"
},
{
"category": "self",
"summary": "SUSE Bug 1262255",
"url": "https://bugzilla.suse.com/1262255"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-24828 page",
"url": "https://www.suse.com/security/cve/CVE-2022-24828/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-43655 page",
"url": "https://www.suse.com/security/cve/CVE-2023-43655/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-24821 page",
"url": "https://www.suse.com/security/cve/CVE-2024-24821/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-35241 page",
"url": "https://www.suse.com/security/cve/CVE-2024-35241/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-35242 page",
"url": "https://www.suse.com/security/cve/CVE-2024-35242/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-67746 page",
"url": "https://www.suse.com/security/cve/CVE-2025-67746/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-40176 page",
"url": "https://www.suse.com/security/cve/CVE-2026-40176/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-40261 page",
"url": "https://www.suse.com/security/cve/CVE-2026-40261/"
}
],
"title": "Security update for php-composer2",
"tracking": {
"current_release_date": "2026-05-18T08:16:15Z",
"generator": {
"date": "2026-05-18T08:16:15Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:1970-1",
"initial_release_date": "2026-05-18T08:16:15Z",
"revision_history": [
{
"date": "2026-05-18T08:16:15Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "php-composer2-2.2.27-150400.3.18.1.noarch",
"product": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch",
"product_id": "php-composer2-2.2.27-150400.3.18.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-24828",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-24828"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json\u0027s `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-24828",
"url": "https://www.suse.com/security/cve/CVE-2022-24828"
},
{
"category": "external",
"summary": "SUSE Bug 1198494 for CVE-2022-24828",
"url": "https://bugzilla.suse.com/1198494"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "important"
}
],
"title": "CVE-2022-24828"
},
{
"cve": "CVE-2023-43655",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-43655"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-43655",
"url": "https://www.suse.com/security/cve/CVE-2023-43655"
},
{
"category": "external",
"summary": "SUSE Bug 1215859 for CVE-2023-43655",
"url": "https://bugzilla.suse.com/1215859"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "moderate"
}
],
"title": "CVE-2023-43655"
},
{
"cve": "CVE-2024-24821",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-24821"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar\u0027s self-update. The following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer on untrusted projects, Shared environments with developers who run Composer individually on the same project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and avoid running Composer within an untrusted directory, or if needed, verify that the contents of `vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code. A reset can also be done on these files by the following:```sh\nrm vendor/composer/installed.php vendor/composer/InstalledVersions.php\ncomposer install --no-scripts --no-plugins\n```",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-24821",
"url": "https://www.suse.com/security/cve/CVE-2024-24821"
},
{
"category": "external",
"summary": "SUSE Bug 1219757 for CVE-2024-24821",
"url": "https://bugzilla.suse.com/1219757"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "important"
}
],
"title": "CVE-2024-24821"
},
{
"cve": "CVE-2024-35241",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-35241"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-35241",
"url": "https://www.suse.com/security/cve/CVE-2024-35241"
},
{
"category": "external",
"summary": "SUSE Bug 1226181 for CVE-2024-35241",
"url": "https://bugzilla.suse.com/1226181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "important"
}
],
"title": "CVE-2024-35241"
},
{
"cve": "CVE-2024-35242",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-35242"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-35242",
"url": "https://www.suse.com/security/cve/CVE-2024-35242"
},
{
"category": "external",
"summary": "SUSE Bug 1226182 for CVE-2024-35242",
"url": "https://bugzilla.suse.com/1226182"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "important"
}
],
"title": "CVE-2024-35242"
},
{
"cve": "CVE-2025-67746",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-67746"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-67746",
"url": "https://www.suse.com/security/cve/CVE-2025-67746"
},
{
"category": "external",
"summary": "SUSE Bug 1255768 for CVE-2025-67746",
"url": "https://bugzilla.suse.com/1255768"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "low"
}
],
"title": "CVE-2025-67746"
},
{
"cve": "CVE-2026-40176",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-40176"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-40176",
"url": "https://www.suse.com/security/cve/CVE-2026-40176"
},
{
"category": "external",
"summary": "SUSE Bug 1262254 for CVE-2026-40176",
"url": "https://bugzilla.suse.com/1262254"
},
{
"category": "external",
"summary": "SUSE Bug 1262255 for CVE-2026-40176",
"url": "https://bugzilla.suse.com/1262255"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "important"
}
],
"title": "CVE-2026-40176"
},
{
"cve": "CVE-2026-40261",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-40261"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands through crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source reference and url are provided as part of package metadata, meaning any compromised or malicious Composer repository can serve package metadata declaring perforce as a source type with malicious values. This vulnerability is exploitable when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted Composer repositories as a workaround.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-40261",
"url": "https://www.suse.com/security/cve/CVE-2026-40261"
},
{
"category": "external",
"summary": "SUSE Bug 1262255 for CVE-2026-40261",
"url": "https://bugzilla.suse.com/1262255"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "important"
}
],
"title": "CVE-2026-40261"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…