CVE-2023-43655

Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.

CVSS v3 6.4 MEDIUM

6.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.5 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d	Patch
https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c	Patch
https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c	Patch
https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf	Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/	Mailing List Third Party Advisory
https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d	Patch
https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c	Patch
https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c	Patch
https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf	Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:getcomposer:composer::::::::
	cpe:2.3:a:getcomposer:composer::::::::
	cpe:2.3:a:getcomposer:composer::::::::

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:37:::::::*
	cpe:2.3:o:fedoraproject:fedora:38:::::::*

History

21 Nov 2024, 08:24

Type	Values Removed	Values Added
References	~~() https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d - Patch~~	() https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d - Patch
References	~~() https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c - Patch~~	() https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c - Patch
References	~~() https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c - Patch~~	() https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c - Patch
References	~~() https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf - Vendor Advisory~~	() https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf - Vendor Advisory
References	~~() https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html -~~	() https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/ - Mailing List, Third Party Advisory~~	() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/ - Mailing List, Third Party Advisory
References	~~() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/ - Mailing List, Third Party Advisory~~	() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/ - Mailing List, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~8.8~~	v2 : unknown v3 : 6.4

27 Mar 2024, 10:15

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html -

03 Nov 2023, 21:15

Type	Values Removed	Values Added
References		(MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/ -

03 Nov 2023, 19:05

Type	Values Removed	Values Added
CPE		cpe:2.3:o:fedoraproject:fedora:38:::::::* cpe:2.3:o:fedoraproject:fedora:37:::::::*
References	~~(MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/ -~~	(MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/ - Mailing List, Third Party Advisory
References	~~(MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/ -~~	(MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/ - Mailing List, Third Party Advisory
First Time		Fedoraproject fedora Fedoraproject

15 Oct 2023, 04:15

Type	Values Removed	Values Added
References		(MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/ - (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/ -

04 Oct 2023, 01:46

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
First Time		Getcomposer Getcomposer composer
CPE		cpe:2.3:a:getcomposer:composer::::::::
References	~~(MISC) https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d -~~	(MISC) https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d - Patch
References	~~(MISC) https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c -~~	(MISC) https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c - Patch
References	~~(MISC) https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf -~~	(MISC) https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf - Vendor Advisory
References	~~(MISC) https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c -~~	(MISC) https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c - Patch

29 Sep 2023, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-29 20:15

Updated : 2024-11-21 08:24

NVD link : CVE-2023-43655

Mitre link : CVE-2023-43655

CVE.ORG link : CVE-2023-43655

JSON object : View

Products Affected

getcomposer

composer

fedoraproject

fedora

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

6.4 /10