Code execution and possible privilege escalation via
compromised InstalledVersions.php or installed.php.
Several files within the local working directory are
included during the invocation of Composer and in the
context of the executing user.
As such, under certain conditions arbitrary code
execution may lead to local privilege escalation, provide
lateral user movement or malicious code execution when
Composer is invoked within a directory with tampered
files.
All Composer CLI commands are affected, including
composer.phar's self-update.