Executive Summary

Informations
Name CVE-2021-29472 First vendor Publication 2021-04-27
Vendor Cve Last vendor Modification 2023-11-07

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 8.8
Base Score 8.8 Environmental Score 8.8
impact SubScore 5.9 Temporal Score 8.8
Exploitabality Sub Score 2.8
 
Attack Vector Network Attack Complexity Low
Privileges Required Low User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Cvss Base Score 6.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system. The impact to Composer users directly is limited as the composer.json file is typically under their own control and source download URLs can only be supplied by third party Composer repositories they explicitly trust to download and execute source code from, e.g. Composer plugins. The main impact is to services passing user input to Composer, including Packagist.org and Private Packagist. This allowed users to trigger remote code execution. The vulnerability has been patched on Packagist.org and Private Packagist within 12h of receiving the initial vulnerability report and based on a review of logs, to the best of our knowledge, was not abused by anyone. Other services/tools using VcsRepository/VcsDriver or derivatives may also be vulnerable and should upgrade their composer/composer dependency immediately. Versions 1.10.22 and 2.0.13 include patches for this issue.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29472

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-94 Failure to Control Generation of Code ('Code Injection')
50 % CWE-88 Argument Injection or Modification

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 12
Os 2
Os 2

Sources (Detail)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
Source Url
CONFIRM https://github.com/composer/composer/security/advisories/GHSA-h5h8-pc6h-jvvx
DEBIAN https://www.debian.org/security/2021/dsa-4907
MISC https://blog.sonarsource.com/php-supply-chain-attack-on-composer/
https://getcomposer.org/
MLIST https://lists.debian.org/debian-lts-announce/2021/05/msg00009.html

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
Date Informations
2023-11-07 21:35:03
  • Multiple Updates
2023-09-29 13:09:42
  • Multiple Updates
2022-12-13 21:27:45
  • Multiple Updates
2022-08-02 21:27:42
  • Multiple Updates
2022-06-04 09:27:16
  • Multiple Updates
2021-05-26 09:23:14
  • Multiple Updates
2021-05-12 09:23:02
  • Multiple Updates
2021-05-08 05:22:48
  • Multiple Updates
2021-04-30 17:22:49
  • Multiple Updates
2021-04-28 17:22:54
  • Multiple Updates
2021-04-28 05:22:53
  • First insertion