Composer CVE-2024-40176 Command Injection via Malicious Perforce Config

Vulnerability Overview Title: Command injection via malicious Perforce repository definition CVE ID: CVE-2024-40176 CVSS Score: 7.8 / 10 (High) Reporter: Seldaeck Published Date: 4 days ago (relative to screenshot time) Description: The method does not properly escape user-provided Perforce connection parameters (such as port, user, client) when constructing shell commands, allowing an attacker to inject arbitrary commands through a malicious Perforce repository configuration in . Even if Perforce is not installed on the system, Composer will still trigger this vulnerability when executing commands. Impact: Attackers can inject arbitrary commands and execute them in the context of the user running Composer commands. Exploitation does not require Perforce installation; it only relies on a malicious Perforce configuration in . Since Composer only loads from the project root directory or configuration directory, indirect exploitation via configuration files in installed packages is not possible. --- Affected Scope --- Remediation Patch Versions: Composer 2.2.27 (2.2 LTS) Composer 2.9.6 (mainline) Workspace Recommendations: Carefully review the file before running Composer to ensure Perforce-related fields contain legitimate values. Only run Composer commands on projects from trusted sources. --- Additional Information CVSS v3 Base Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Confidentiality: High - Integrity: High - Availability: High Weaknesses: CWE-20, CWE-78 Credits: - Reporter: sakus912 - Fix Reviewer: glauthnik

Goal Reached Thanks to every supporter — we hit 100%!

Composer CVE-2024-40176 Command Injection via Malicious Perforce Config

More from this source