CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
9.0%
Several files within the local working directory are included during the invocation of Composer and in the context of the executing user.
As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.
All Composer CLI commands are affected, including composer.phar’s self-update.
The following are of high risk:
2.7.0, 2.2.23
Where not possible, the following should be addressed:
vendor/composer/InstalledVersions.php
and vendor/composer/installed.php
do not include untrusted code.A reset can also be done on these files by the following:
rm vendor/composer/installed.php vendor/composer/InstalledVersions.php
composer install --no-scripts --no-plugins
github.com/advisories/GHSA-7c6p-848j-wh5h
github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5
github.com/composer/composer/commit/77e3982918bc1d886843dc3d5e575e7e871b27b7
github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h
nvd.nist.gov/vuln/detail/CVE-2024-24821