Command Injection

Affecting composer/composer package, versions >=2.0.0, <2.1.9 || <1.10.23

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

composer/composer is a Dependency Manager for PHP. Composer helps you declare, manage and install dependencies of PHP projects. It ensures you have the right stack everywhere.

Affected versions of this package are vulnerable to Command Injection. This is due to improper escaping of command arguments. Note: This only affects Windows users.

Remediation

Upgrade composer/composer to version 2.1.9, 1.10.23 or higher.

References

CVSS Score

8.2
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Credit
Paul Gerste
CVE
CVE-2021-41116
CWE
CWE-78
Snyk ID
SNYK-PHP-COMPOSERCOMPOSER-1728397
Disclosed
05 Oct, 2021
Published
06 Oct, 2021