QwikSec

Security Database

CVE

CWE

Training

CVE-2024-35241

Published: Jun 10, 2024

Modified: Apr 21, 2025

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.

Vendor	Product	Versions
composer	composer	affected `>= 2.0, < 2.2.24` affected `>= 2.3, < 2.7.7`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c

x_refsource_CONFIRM

https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4

x_refsource_MISC

https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704

x_refsource_MISC

https://lists.fedoraproject.org/archives/list/[email protected]/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/

https://lists.fedoraproject.org/archives/list/[email protected]/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.