CVE-2015-8371

EUVD-2023-2452
Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the package name, the dist type, and certain other data from the package repository (which may simply be a commit hash, and thus can be found by an attacker). Versions through 1.0.0-alpha11 are affected, and 1.0.0 is unaffected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
Affected Products (NVD)
VendorProductVersion
getcomposercomposer
1.0.0:alpha1
getcomposercomposer
1.0.0:alpha10
getcomposercomposer
1.0.0:alpha11
getcomposercomposer
1.0.0:alpha2
getcomposercomposer
1.0.0:alpha3
getcomposercomposer
1.0.0:alpha4
getcomposercomposer
1.0.0:alpha5
getcomposercomposer
1.0.0:alpha6
getcomposercomposer
1.0.0:alpha7
getcomposercomposer
1.0.0:alpha8
getcomposercomposer
1.0.0:alpha9
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
composer
bookworm
2.5.5-1+deb12u2
fixed
bookworm (security)
2.5.5-1+deb12u2
fixed
bullseye
2.0.9-2+deb11u4
fixed
bullseye (security)
2.0.9-2+deb11u4
fixed
sid
2.8.2-1
fixed
trixie
2.8.2-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
composer
artful
ignored
bionic
not-affected
precise
dne
trusty
dne
wily
ignored
xenial
not-affected
yakkety
ignored
zesty
ignored
Common Weakness Enumeration
References
https://flyingmana.de/blog_en/2016/02/14/composer_cache_injection_vulnerability_cve_2015_8371.html
https://github.com/FriendsOfPHP/security-advisories/blob/e26be423c5bcfdb38478d2f92d1f928c15afb561/composer/composer/CVE-2015-8371.yaml
https://github.com/composer/composer
https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2015-8371.yml
https://flyingmana.de/blog_en/2016/02/14/composer_cache_injection_vulnerability_cve_2015_8371.html
https://github.com/FriendsOfPHP/security-advisories/blob/e26be423c5bcfdb38478d2f92d1f928c15afb561/composer/composer/CVE-2015-8371.yaml
https://github.com/composer/composer
https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2015-8371.yml