Security Advisories

CVE-2024-35242

Published

Last updated

https://nvd.nist.gov/vuln/detail/CVE-2024-35242

Severity

8.8

High

CVSS V3

Summary

Composer has multiple command injections via malicious git/hg branch names

Description

Impact

The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.

Patches

2.2.24 for 2.2 LTS or 2.7.7 for mainline

Workarounds

Avoid cloning potentially compromised repositories.

References

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

Private Policy