Vulnerability Details : CVE-2022-24828
Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.
Vulnerability category: Input validation
Exploit prediction scoring system (EPSS) score for CVE-2022-24828
Probability of exploitation activity in the next 30 days: 0.25%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 63 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2022-24828
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
|
8.3
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
1.6
|
6.0
|
GitHub, Inc. |
CWE ids for CVE-2022-24828
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Secondary)
-
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.Assigned by: nvd@nist.gov (Primary)
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-24828
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QD7JQWL6C4GVROO25DTXWYWM6BPOPPCG/
[SECURITY] Fedora 34 Update: composer-2.2.12-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/625MT3IKWKFVIWLSYZFSXHVUA2LES7YQ/
[SECURITY] Fedora 36 Update: composer-2.3.5-1.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.tenable.com/security/tns-2022-09
[R1] Tenable.sc 5.21.0 Fixes Multiple Third-Party Vulnerabilities - Security Advisory | Tenable®Patch;Third Party Advisory
-
https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709
Merge pull request from GHSA-x7cr-6qr6-2hh6 · composer/composer@2c40c53 · GitHubPatch;Third Party Advisory
-
https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6
Missing input validation can lead to command execution via VcsDriver::getFileContent() · Advisory · composer/composer · GitHubThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWT6LDSRY7SFMTDZWJ4MS2ZBXHL7VQEF/
[SECURITY] Fedora 35 Update: composer-2.3.5-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Products affected by CVE-2022-24828
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*
- cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*
- cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*
- cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*