composer/composer Security Advisories for 2.0.1 (7)
-
[HIGH] Composer has a command injection via malicious git branch name
PKSA-s25b-vbmp-jvhh CVE-2024-35241 GHSA-47f6-5gq3-vx9c
Affected version: >=2.3,<2.7.7|>=2.0,<2.2.24
Reported by:
GitHub -
[HIGH] Composer has multiple command injections via malicious git/hg branch names
PKSA-b8f7-zn44-r4gz CVE-2024-35242 GHSA-v9qv-c7wm-wgmf
Affected version: >=2.3,<2.7.7|>=2.0,<2.2.24
Reported by:
GitHub -
[HIGH] Composer code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php
PKSA-jn72-4kr8-gj3h CVE-2024-24821 GHSA-7c6p-848j-wh5h
Affected version: >=2.3.0-rc1,<2.7.0|>=2.0.0-alpha1,<2.2.23
Reported by:
GitHub -
[HIGH] Composer Remote Code Execution vulnerability via web-accessible composer.phar
PKSA-m1ph-vmbx-2xd3 CVE-2023-43655 GHSA-jm6m-4632-36hf
Affected version: >=2.3.0,<2.6.4|>=2.0.0,<2.2.22|<1.10.27
Reported by:
GitHub -
[HIGH] Missing input validation can lead to command execution in composer
PKSA-6zmq-d6mk-r5wm CVE-2022-24828 GHSA-x7cr-6qr6-2hh6
Affected version: >=2.3,<2.3.5|>=2.0,<2.2.12|<1.10.26
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[HIGH] Improper escaping of command arguments on Windows leading to command injection
PKSA-93hy-9dc1-gbwt CVE-2021-41116 GHSA-frqg-7g38-6gcf
Affected version: >=2.0.0-alpha1,<2.1.9|<1.10.23
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[HIGH] Missing argument delimiter can lead to command execution via VCS repository URLs or source download URLs on systems with Mercurial
PKSA-9p8h-97x3-qxpm CVE-2021-29472 GHSA-h5h8-pc6h-jvvx
Affected version: >=2.0.0-alpha1,<2.0.13|<1.10.22
Reported by:
FriendsOfPHP/security-advisories, GitHub