Improper Neutralization

Affecting composer/composer package, versions >=2.0, <2.0.13 || <1.10.22

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to Improper Neutralization. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow commands to be executed in the HgDriver if hg/Mercurial is installed on the system.

Remediation

Upgrade composer/composer to version 2.0.13, 1.10.22 or higher.

References

CVSS Score

8.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R
Credit
thomas-chauchefoin-sonarsource
CVE
CVE-2021-29472
CWE
CWE-707
Snyk ID
SNYK-PHP-COMPOSERCOMPOSER-1277193
Disclosed
28 Apr, 2021
Published
28 Apr, 2021