Lookup for vulnerable packages by Package URL.
| Purl | pkg:composer/composer/composer@2.3.5 |
|---|
| Type | composer |
|---|
| Namespace | composer |
|---|
| Name | composer |
|---|
| Version | 2.3.5 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | false |
|---|
| Next_non_vulnerable_version | 2.6.4 |
|---|
| Latest_non_vulnerable_version | 2.9.8 |
|---|
| Affected_by_vulnerabilities |
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-xjjm-qjy8-aken |
| vulnerability_id |
VCID-xjjm-qjy8-aken |
| summary |
Improper Input Validation
Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2022-24828, GHSA-x7cr-6qr6-2hh6
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xjjm-qjy8-aken |
|
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.5 |
|---|