CVE-2021-41116

EUVD-2021-2198
Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has been resolved in composer versions 1.10.23 and 2.1.9. There are no workarounds for this issue.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
GitHub_MCNA
8.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 76%
Affected Products (NVD)
VendorProductVersion
getcomposercomposer
𝑥
< 1.10.23
getcomposercomposer
2.0.0 ≤
𝑥
< 2.1.9
tenabletenable.sc
𝑥
< 5.21.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
composer
bookworm
2.5.5-1+deb12u2
fixed
bookworm (security)
2.5.5-1+deb12u2
fixed
bullseye
2.0.9-2+deb11u4
fixed
bullseye (security)
2.0.9-2+deb11u4
fixed
sid
2.8.2-1
fixed
trixie
2.8.2-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
composer
bionic
not-affected
focal
not-affected
hirsute
not-affected
impish
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
needed
Common Weakness Enumeration
References
https://github.com/composer/composer/commit/ca5e2f8d505fd3bfac6f7c85b82f2740becbc0aa
https://github.com/composer/composer/security/advisories/GHSA-frqg-7g38-6gcf
https://www.sonarsource.com/blog/securing-developer-tools-package-managers/
https://github.com/composer/composer/commit/ca5e2f8d505fd3bfac6f7c85b82f2740becbc0aa
https://github.com/composer/composer/security/advisories/GHSA-frqg-7g38-6gcf
https://www.sonarsource.com/blog/securing-developer-tools-package-managers/