GitHub_MCVELIST:CVE-2021-41116CVE-2021-41116 Command injection in composer on Windows
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
10 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
68.2%
Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has been resolved in composer versions 1.10.23 and 2.1.9. There are no workarounds for this issue.
CNA Affected
[
{
"vendor": "composer",
"product": "composer",
"versions": [
{
"version": "< 1.10.23",
"status": "affected"
},
{
"version": ">= 2.0, < 2.1.9",
"status": "affected"
}
]
}
]Related
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
10 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
68.2%