CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
9.0%
Copmposer reports:
Code execution and possible privilege escalation via
compromised InstalledVersions.php or installed.php.
Several files within the local working directory are
included during the invocation of Composer and in the
context of the executing user.
As such, under certain conditions arbitrary code
execution may lead to local privilege escalation, provide
lateral user movement or malicious code execution when
Composer is invoked within a directory with tampered
files.
All Composer CLI commands are affected, including
composer.phar’s self-update.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
FreeBSD | any | noarch | php81-composer | < 2.7.0 | UNKNOWN |
FreeBSD | any | noarch | php82-composer | < 2.7.0 | UNKNOWN |
FreeBSD | any | noarch | php83-composer | < 2.7.0 | UNKNOWN |
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
9.0%