CVE-2024-35242
Published: 10 June 2024
Summary
CVE-2024-35242 is a high-severity Command Injection (CWE-77) vulnerability in Fedoraproject (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Composer is a dependency manager for PHP. CVE-2024-35242 is a command-injection vulnerability (CWE-77) affecting the 2.x branch prior to versions 2.2.24 and 2.7.7. When the `composer install` command executes inside a git or Mercurial repository containing specially crafted branch names, arbitrary commands can be injected and run. The flaw carries a CVSS 3.1 score of 8.8.
An attacker who can induce a victim to clone an untrusted repository and subsequently run `composer install` can achieve remote command execution with the privileges of the Composer process, resulting in full confidentiality, integrity, and availability impact.
Patches addressing the issue are available in Composer 2.2.24 (LTS) and 2.7.7 (mainline), with the fixes documented in the associated GitHub commits and security advisory GHSA-v9qv-c7wm-wgmf. As a workaround, users are advised to avoid cloning repositories from untrusted sources. The EPSS score reached a peak of 0.2521 and currently stands at 0.2379 after receding.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2177
Vulnerability details
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning…
more
untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.