| Vulnerability Name: | CVE-2021-41116 (CCN-211094) | ||||||||||||||||
| Assigned: | 2021-10-05 | ||||||||||||||||
| Published: | 2021-10-05 | ||||||||||||||||
| Updated: | 2022-09-10 | ||||||||||||||||
| Summary: | Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has been resolved in composer versions 1.10.23 and 2.1.9. There are no workarounds for this issue. | ||||||||||||||||
| CVSS v3 Severity: | 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
| ||||||||||||||||
| Vulnerability Type: | CWE-77 CWE-77 | ||||||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2021-41116 Source: XF Type: UNKNOWN composer-cve202141116-cmd-exec(211094) Source: MISC Type: Patch, Third Party Advisory https://github.com/composer/composer/commit/ca5e2f8d505fd3bfac6f7c85b82f2740becbc0aa Source: CCN Type: Composer GIT Repository Improper escaping of command arguments on Windows leading to command injection Source: CONFIRM Type: Third Party Advisory https://github.com/composer/composer/security/advisories/GHSA-frqg-7g38-6gcf Source: CONFIRM Type: Patch, Release Notes, Third Party Advisory https://www.tenable.com/security/tns-2022-09 | ||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||
| Oval Definitions | |||||||||||||||||
| |||||||||||||||||
| BACK | |||||||||||||||||