FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Remote Code Execution via web-accessible composer

Affected packages
php80-composer < 1.10.27
2.0.0 < php80-composer < 2.6.4
php81-composer < 1.10.27
2.0.0 < php81-composer < 2.6.4
php82-composer < 1.10.27
2.0.0 < php82-composer < 2.6.4
php83-composer < 1.10.27
2.0.0 < php83-composer < 2.6.4
php80-composer2 < 2.6.4
php81-composer2 < 2.6.4
php82-composer2 < 2.6.4
php83-composer2 < 2.6.4

Details

VuXML ID 33922b84-5f09-11ee-b63d-0897988a1c07
Discovery 2023-09-29
Entry 2023-09-29
Modified 2023-09-30

Composer project reports:

Description: Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has register_argc_argv enabled in php.ini.

Workaround: Make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.

[source]

References

CVE Name CVE-2023-43655
URL https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.