Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.5
CVSSv2

CVE-2021-29472

Published: 27/04/2021 Updated: 07/11/2023
CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 578
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Subscribe to Getcomposer

Vulnerability Summary

A security issue was found in Composer prior to 1.10.22 and 2.0.13. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system. The impact to Composer users directly is limited as the composer.json file is typically under their own control and source download URLs can only be supplied by third party Composer repositories they explicitly trust to download and execute source code from, e.g. Composer plugins. The main impact is to services passing user input to Composer, including Packagist.org and Private Packagist. This allowed users to trigger remote code execution.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

getcomposer composer

debian debian linux 9.0

debian debian linux 10.0

fedoraproject fedora 33

fedoraproject fedora 34

Vendor Advisories

Debian Security Advisories: DSA-4907-1 composer -- security update
It was discovered that composer, a dependency manager for PHP, did not properly sanitize Mercurial URLs, which could lead to arbitrary code execution For the stable distribution (buster), this problem has been fixed in version 184-1+deb10u1 We recommend that you upgrade your composer packages For the detailed security status of composer please ...
Arch Linux Issues:
A security issue was found in Composer before versions 11022 and 2013 URLs for Mercurial repositories in the root composerjson and package source download URLs are not sanitized correctly Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system The impact to Composer users directl ...

References

CWE-94CWE-88https://getcomposer.org/https://github.com/composer/composer/security/advisories/GHSA-h5h8-pc6h-jvvxhttps://www.debian.org/security/2021/dsa-4907https://lists.debian.org/debian-lts-announce/2021/05/msg00009.htmlhttps://blog.sonarsource.com/php-supply-chain-attack-on-composer/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FAQUAMGO4Q4BLNZ2OH4CXQD7UK4IO2GE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KN3DMFH42BJW45VT6FYF2RXKC26D6VC2/https://nvd.nist.govhttps://www.debian.org/security/2021/dsa-4907https://security.archlinux.org/CVE-2021-29472
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-38298CVE-2024-20356CVE-2023-21987CVE-2024-33217bypassCVE-2024-31804CVE-2024-32660unauthorizedSSRF
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook