QID 995321

Date Published: 2023-09-22

QID 995321: PHP (Composer) Security Update for composer/composer (GHSA-725m-w832-q973)

Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the package name, the dist type, and certain other data from the package repository (which may simply be a commit hash, and thus can be found by an attacker). Versions through 1.0.0-alpha11 are affected, and 1.0.0 is unaffected.

Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.

CVSS V3 rated as Critical - 8.8 severity.

CVSS V2 rated as High - 7.5 severity.

Solution

Refer to Github security advisory GHSA-725m-w832-q973 for updates and patch information.

Vendor References

GHSA-725m-w832-q973 - github.com/advisories/GHSA-725m-w832-q973

CVEs related to QID 995321

CVE-2015-8371 |

Software Advisories

Advisory ID	Software	Component	Link
GHSA-725m-w832-q973	composer/composer		github.com/advisories/GHSA-725m-w832-q973

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].