git: b3fafb5cba99 - main - security/vuxml: Add new php-composer vulnerability.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 08 Feb 2024 14:37:13 UTC
The branch main has been updated by madpilot:
URL: https://cgit.FreeBSD.org/ports/commit/?id=b3fafb5cba9975027affb385f8022e5cf2896cd1
commit b3fafb5cba9975027affb385f8022e5cf2896cd1
Author: Guido Falsi <madpilot@FreeBSD.org>
AuthorDate: 2024-02-08 14:36:42 +0000
Commit: Guido Falsi <madpilot@FreeBSD.org>
CommitDate: 2024-02-08 14:36:42 +0000
security/vuxml: Add new php-composer vulnerability.
---
security/vuxml/vuln/2024.xml | 45 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 45 insertions(+)
diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
index 165cb0b40ea7..8a83ecbdc818 100644
--- a/security/vuxml/vuln/2024.xml
+++ b/security/vuxml/vuln/2024.xml
@@ -1,3 +1,48 @@
+ <vuln vid="33ba2241-c68e-11ee-9ef3-001999f8d30b">
+ <topic>Composer -- Code execution and possible privilege escalation</topic>
+ <affects>
+ <package>
+ <name>php81-composer</name>
+ <range><lt>2.7.0</lt></range>
+ </package>
+ <package>
+ <name>php82-composer</name>
+ <range><lt>2.7.0</lt></range>
+ </package>
+ <package>
+ <name>php83-composer</name>
+ <range><lt>2.7.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Copmposer reports:</p>
+ <blockquote cite="https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h">
+ <p>Code execution and possible privilege escalation via
+ compromised InstalledVersions.php or installed.php.</p>
+ <p>Several files within the local working directory are
+ included during the invocation of Composer and in the
+ context of the executing user.</p>
+ <p>As such, under certain conditions arbitrary code
+ execution may lead to local privilege escalation, provide
+ lateral user movement or malicious code execution when
+ Composer is invoked within a directory with tampered
+ files.</p>
+ <p>All Composer CLI commands are affected, including
+ composer.phar's self-update.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2024-24821</cvename>
+ <url>https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h</url>
+ </references>
+ <dates>
+ <discovery>2024-02-08</discovery>
+ <entry>2024-02-08</entry>
+ </dates>
+ </vuln>
+
<vuln vid="43768ff3-c683-11ee-97d0-001b217b3468">
<topic>Libgit2 -- multiple vulnerabilities</topic>
<affects>