Improper Neutralization Affecting composer/composer package, versions >=2.0, <2.0.13 <1.10.22
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
6.3% (94th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-COMPOSERCOMPOSER-1277193
- published 28 Apr 2021
- disclosed 28 Apr 2021
- credit thomas-chauchefoin-sonarsource
Introduced: 28 Apr 2021
CVE-2021-29472 Open this link in a new tabHow to fix?
Upgrade composer/composer to version 2.0.13, 1.10.22 or higher.
Overview
composer/composer is a Dependency Manager for PHP. Composer helps you declare, manage and install dependencies of PHP projects. It ensures you have the right stack everywhere.
Affected versions of this package are vulnerable to Improper Neutralization. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow commands to be executed in the HgDriver if hg/Mercurial is installed on the system.