Vulnerability Details : CVE-2021-41116
Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has been resolved in composer versions 1.10.23 and 2.1.9. There are no workarounds for this issue.
Products affected by CVE-2021-41116
- cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*
- cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*
- cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-41116
0.55%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 78 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-41116
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
8.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N |
2.8
|
4.7
|
GitHub, Inc. |
CWE ids for CVE-2021-41116
-
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2021-41116
-
https://www.tenable.com/security/tns-2022-09
[R1] Tenable.sc 5.21.0 Fixes Multiple Third-Party Vulnerabilities - Security Advisory | Tenable®Patch;Release Notes;Third Party Advisory
-
https://github.com/composer/composer/commit/ca5e2f8d505fd3bfac6f7c85b82f2740becbc0aa
Fix escaping issues on Windows which could lead to command injection,… · composer/composer@ca5e2f8 · GitHubPatch;Third Party Advisory
-
https://github.com/composer/composer/security/advisories/GHSA-frqg-7g38-6gcf
Improper escaping of command arguments on Windows leading to command injection · Advisory · composer/composer · GitHubThird Party Advisory
-
https://www.sonarsource.com/blog/securing-developer-tools-package-managers/
Securing Developer Tools: Package Managers | Sonar
Jump to