CVE-2015-8371

Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the package name, the dist type, and certain other data from the package repository (which may simply be a commit hash, and thus can be found by an attacker). Versions through 1.0.0-alpha11 are affected, and 1.0.0 is unaffected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
VendorProductVersion
getcomposercomposer
1.0.0:alpha1
getcomposercomposer
1.0.0:alpha10
getcomposercomposer
1.0.0:alpha11
getcomposercomposer
1.0.0:alpha2
getcomposercomposer
1.0.0:alpha3
getcomposercomposer
1.0.0:alpha4
getcomposercomposer
1.0.0:alpha5
getcomposercomposer
1.0.0:alpha6
getcomposercomposer
1.0.0:alpha7
getcomposercomposer
1.0.0:alpha8
getcomposercomposer
1.0.0:alpha9
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
composer
bullseye (security)
2.0.9-2+deb11u4
fixed
bullseye
2.0.9-2+deb11u4
fixed
bookworm
2.5.5-1+deb12u2
fixed
bookworm (security)
2.5.5-1+deb12u2
fixed
sid
2.8.2-1
fixed
trixie
2.8.2-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
composer
bionic
not-affected
artful
ignored
zesty
ignored
yakkety
ignored
xenial
not-affected
wily
ignored
trusty
dne
precise
dne
Common Weakness Enumeration
References
https://flyingmana.de/blog_en/2016/02/14/composer_cache_injection_vulnerability_cve_2015_8371.html
https://github.com/FriendsOfPHP/security-advisories/blob/e26be423c5bcfdb38478d2f92d1f928c15afb561/composer/composer/CVE-2015-8371.yaml
https://github.com/composer/composer
https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2015-8371.yml
https://flyingmana.de/blog_en/2016/02/14/composer_cache_injection_vulnerability_cve_2015_8371.html
https://github.com/FriendsOfPHP/security-advisories/blob/e26be423c5bcfdb38478d2f92d1f928c15afb561/composer/composer/CVE-2015-8371.yaml
https://github.com/composer/composer
https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2015-8371.yml