CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
46.4%
Composer before 2016-02-10 allows cache poisoning from other projects built
on the same host. This results in attacker-controlled code entering a
server-side build process. The issue occurs because of the way that dist
packages are cached. The cache key is derived from the package name, the
dist type, and certain other data from the package repository (which may
simply be a commit hash, and thus can be found by an attacker). Versions
through 1.0.0-alpha11 are affected, and 1.0.0 is unaffected.
Author | Note |
---|---|
tyhicks | Fixed in 10.02.2016 upstream |