CVE-2022-24828

Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.

Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.

The Composer method `VcsDriver::getFileContent()` with user-controlled `$file` or `$identifier` arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used. This led to a vulnerability on Packagist.org and Private Packagist, i.e., using the composer.json `readme` field as a vector for injecting parameters into the `$file` argument for the Mercurial driver or via the `$identifier` argument for the Git and Mercurial drivers. Composer itself can be attacked through branch names by anyone controlling a Git or Mercurial repository, which is explicitly listed by URL in a project's composer.json. To the best of our knowledge, this was not actively exploited. The vulnerability has been patched on Packagist.org and Private Packagist within a day of the vulnerability report.

The Composer method `VcsDriver::getFileContent()` with user-controlled `$file` or `$identifier` arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used. This led to a vulnerability on Packagist.org and Private Packagist, i.e., using the composer.json `readme` field as a vector for injecting parameters into the `$file` argument for the Mercurial driver or via the `$identifier` argument for the Git and Mercurial drivers. Composer itself can be attacked through branch names by anyone controlling a Git or Mercurial repository, which is explicitly listed by URL in a project's composer.json. To the best of our knowledge, this was not actively exploited. The vulnerability has been patched on Packagist.org and Private Packagist within a day of the vulnerability report.

Composer es un administrador de dependencias para el lenguaje de programación PHP. Los integradores usando el código de Composer para llamar a la función "VcsDriver::getFileContent" pueden tener una vulnerabilidad de inyección de código si el usuario puede controlar el argumento "$file" o "$identifier". Esto conlleva a una vulnerabilidad en packagist.org, por ejemplo, donde el campo "readme" de composer.json puede ser usado como vector para inyectar parámetros en hg/Mercurial por medio del argumento "$file", o en git por medio del argumento "$identifier" si son permitidos datos arbitrarios allí (Packagist no lo hace, pero quizás otros integradores sí). El propio Composer no debería verse afectado por la vulnerabilidad, ya que no llama a "getFileContent" con datos arbitrarios en $file"/"$identifier". Por lo que sabemos, no ha sido abusado de ello, y la vulnerabilidad ha sido parcheada en packagist.org y en Private Packagist un día después del informe de la vulnerabilidad