cbcvebase.
CVE-2023-43655
published 2023-09-29

CVE-2023-43655: Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.38%
68.7th percentile
Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.

Affected

20 ranges
VendorProductVersion rangeFixed in
composercomposer< 1.10.271.10.27
composercomposer
composercomposer
composercomposer>= 0 < 2.6.4-12.6.4-1
composercomposer>= 0 < 2.6.4-12.6.4-1
composercomposer>= 0 < 1.10.271.10.27
composercomposer>= 0 < 1.0.0~beta2-1ubuntu0.1~esm21.0.0~beta2-1ubuntu0.1~esm2
composercomposer>= 0 < 1.6.3-1ubuntu0.1~esm21.6.3-1ubuntu0.1~esm2
composercomposer>= 0 < 1.10.1-1ubuntu0.1~esm21.10.1-1ubuntu0.1~esm2
composercomposer>= 0 < 2.2.6-2ubuntu4+esm12.2.6-2ubuntu4+esm1
composercomposer>= 0 < 2.7.1-2ubuntu0.1~esm12.7.1-2ubuntu0.1~esm1
composercomposer>= 2.0.0 < 2.2.222.2.22
composercomposer>= 2.3.0 < 2.6.42.6.4
debiancomposer< composer 2.6.4-1 (forky)composer 2.6.4-1 (forky)
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
getcomposercomposer< 1.10.271.10.27
getcomposercomposer>= 2.0.0 < 2.2.212.2.21
getcomposercomposer>= 2.3.0 < 2.6.42.6.4

Detection & IOCsextracted from sources · hover to see the quote

  • Detect web-accessible composer.phar being executed as a PHP file, which is the attack surface for this RCE vulnerability
  • Flag presence of register_argc_argv=On in php.ini as a prerequisite condition enabling this vulnerability
  • Composer did not correctly handle certain arguments — monitor for unexpected argument injection in Composer invocations, especially via web requests
  • ·Vulnerability only triggers when both conditions are met: composer.phar is published to a public web-accessible server AND PHP has register_argc_argv enabled
  • ·Mitigation without upgrading requires disabling register_argc_argv in php.ini AND not publishing composer.phar to the web
  • ·Patched versions are 2.6.4, 2.2.22, and 1.10.27 — any Composer version below these on a web-accessible server with register_argc_argv=On is vulnerable
  • ·Debian Bookworm and Bullseye remain open/unpatched per the security tracker at time of source capture
  • ·Ubuntu affected versions include 16.04 LTS, 18.04 LTS, 20.04 LTS, and 22.04 LTS

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_ubuntu8.3HIGH
vendor_debian6.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.