CVE-2021-29472 — Argument Injection in Composer

CWE-88 — Argument Injection CWE-94 — Code Injection7 documents6 sources

Severity

8.8HIGHNVD

EPSS

3.6%

top 12.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Composer Getcomposer Composer Debian Linux +1 more

Timeline

PublishedApr 27

Latest updateJul 8

Description

Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system. The impact to Composer users directly is limited as the composer.json file is typically under their own control and source download URLs can only be supplied by third party Composer repositories they explicitly trust to …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5composer/composer< 1.10.22+1

▶Packagistcomposer/composer2.0.0-alpha1 — 2.0.13+1

▶NVDgetcomposer/composer2.0 — 2.0.13+1

▶Debiancomposer/composer< 2.0.9-2+3

Also affects: Debian Linux 10.0, 9.0, Fedora 33, 34

🔴Vulnerability Details

GHSA

Composer's missing argument delimiter can lead to code execution via VCS repository URLs or source download URLs on systems with Mercurial↗2021-04-29

▶

OSV

Composer's missing argument delimiter can lead to code execution via VCS repository URLs or source download URLs on systems with Mercurial↗2021-04-29

▶

OSV

CVE-2021-29472: Composer is a dependency manager for PHP↗2021-04-27

▶

CVEList

Missing argument delimiter can lead to code execution via VCS repository URLs or source download URLs on systems with Mercurial in composer↗2021-04-27

▶

📋Vendor Advisories

Ubuntu

Composer vulnerability↗2022-07-08

▶

Debian

CVE-2021-29472: composer - Composer is a dependency manager for PHP. URLs for Mercurial repositories in the...↗2021

▶