FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Composer -- Code execution and possible privilege escalation

Affected packages
php81-composer < 2.7.0
php82-composer < 2.7.0
php83-composer < 2.7.0

Details

VuXML ID 33ba2241-c68e-11ee-9ef3-001999f8d30b
Discovery 2024-02-08
Entry 2024-02-08

Copmposer reports:

Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php.

Several files within the local working directory are included during the invocation of Composer and in the context of the executing user.

As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.

All Composer CLI commands are affected, including composer.phar's self-update.

References

CVE Name CVE-2024-24821
URL https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h