vulnerability

Debian: CVE-2015-8371: composer -- security update

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
9	(AV:N/AC:M/Au:N/C:C/I:C/A:C)	09/21/2023	07/30/2024	01/28/2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:C/I:C/A:C)

Published

09/21/2023

Added

07/30/2024

Modified

01/28/2025

Description

Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the package name, the dist type, and certain other data from the package repository (which may simply be a commit hash, and thus can be found by an attacker). Versions through 1.0.0-alpha11 are affected, and 1.0.0 is unaffected.

Solution

debian-upgrade-composer

References

CVE-2015-8371
https://attackerkb.com/topics/CVE-2015-8371

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today