CVE-2022-24828

NameCVE-2022-24828
DescriptionComposer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1009960

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
composer (PTS)buster1.8.4-1+deb10u2fixed
buster (security)1.8.4-1+deb10u3fixed
bullseye2.0.9-2+deb11u1fixed
bullseye (security)2.0.9-2+deb11u2fixed
bookworm2.5.5-1fixed
bookworm (security)2.5.5-1+deb12u1fixed
sid, trixie2.7.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
composersourcebuster1.8.4-1+deb10u2
composersourcebullseye2.0.9-2+deb11u1
composersource(unstable)2.2.12-11009960

Notes

[stretch] - composer <no-dsa> (Minor issue)
https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709 (2.2.12)
https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6
Search for package or bug name: Reporting problems