vulnerability
FreeBSD: VID-5F608C68-276C-11EF-8CAA-0897988A1C07 (CVE-2024-35242): Composer -- Multiple command injections via malicious git/hg branch names
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | 06/10/2024 | 06/11/2024 | 02/18/2025 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
06/10/2024
Added
06/11/2024
Modified
02/18/2025
Description
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.
Solution(s)
freebsd-upgrade-package-php81-composerfreebsd-upgrade-package-php82-composerfreebsd-upgrade-package-php83-composer
References
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.