URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow commands to be executed in the HgDriver if hg/Mercurial is installed on the system.
1.10.22 and 2.0.13 include patches for this issue.
blog.sonarsource.com/php-supply-chain-attack-on-composer
getcomposer.org
github.com/composer/composer
github.com/composer/composer/security/advisories/GHSA-h5h8-pc6h-jvvx
github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2021-29472.yaml
lists.debian.org/debian-lts-announce/2021/05/msg00009.html
lists.fedoraproject.org/archives/list/[email protected]/message/FAQUAMGO4Q4BLNZ2OH4CXQD7UK4IO2GE
lists.fedoraproject.org/archives/list/[email protected]/message/KN3DMFH42BJW45VT6FYF2RXKC26D6VC2
nvd.nist.gov/vuln/detail/CVE-2021-29472
www.debian.org/security/2021/dsa-4907