Bug 2241496 (CVE-2023-43655) - CVE-2023-43655 composer: Remote Code Execution via web-accessible composer.phar
Summary: CVE-2023-43655 composer: Remote Code Execution via web-accessible composer.phar
Keywords:
Status: NEW
Alias: CVE-2023-43655
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2241497 2241498
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-09-30 14:29 UTC by Patrick Del Bello
Modified: 2023-09-30 14:29 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Patrick Del Bello 2023-09-30 14:29:18 UTC 
Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.


https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c
https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf
https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c
https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d
Comment 1 Patrick Del Bello 2023-09-30 14:29:33 UTC 
Created composer tracking bugs for this issue:

Affects: epel-all [bug 2241497]
Affects: fedora-all [bug 2241498]
Note You need to log in before you can comment on or make changes to this bug.