Published: 05/10/2021 Updated: 25/10/2023

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has been resolved in composer versions 1.10.23 and 2.1.9. There are no workarounds for this issue.

Vulnerable Product	Search on Vulmon	Subscribe to Product
getcomposer composer
tenable tenable.sc

Windows users running Composer before version 219 to install untrusted dependencies are subject to command injection and should upgrade their composer version Other OSs and WSL are not affected ...

Tenablesc leverages third-party software to help provide underlying functionality Several of the third-party components were found to contain vulnerabilities, and updated versions have been made available by the providers Out of caution, and in line with best practice, Tenable has upgraded the bundled components to address the potential impact ...

CWE-77 https://github.com/composer/composer/commit/ca5e2f8d505fd3bfac6f7c85b82f2740becbc0aa https://github.com/composer/composer/security/advisories/GHSA-frqg-7g38-6gcf https://www.sonarsource.com/blog/securing-developer-tools-package-managers/https://nvd.nist.gov https://security.archlinux.org/CVE-2021-41116 https://www.tenable.com/security/tns-2022-09

CVE-2021-41116

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect