High severityNVD Advisory· Published Oct 5, 2021· Updated Aug 4, 2024
Command injection in composer on Windows
CVE-2021-41116
Description
Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has been resolved in composer versions 1.10.23 and 2.1.9. There are no workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
composer/composerPackagist | < 1.10.23 | 1.10.23 |
composer/composerPackagist | >= 2.0.0-alpha1, < 2.1.9 | 2.1.9 |
Affected products
7- osv-coords6 versionspkg:bitnami/composerpkg:composer/composer/composerpkg:rpm/opensuse/php-composer2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/php-composer&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/php-composer&distro=openSUSE%20Tumbleweedpkg:rpm/suse/php-composer&distro=SUSE%20Package%20Hub%2015%20SP3
< 1.10.23+ 5 more
- (no CPE)range: < 1.10.23
- (no CPE)range: < 1.10.23
- (no CPE)range: < 2.1.12-1.1
- (no CPE)range: < 1.10.26-bp153.2.6.1
- (no CPE)range: < 1.10.25-1.1
- (no CPE)range: < 1.10.26-bp153.2.6.1
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-frqg-7g38-6gcfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41116ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2021-41116.yamlghsaWEB
- github.com/composer/composer/commit/ca5e2f8d505fd3bfac6f7c85b82f2740becbc0aaghsax_refsource_MISCWEB
- github.com/composer/composer/security/advisories/GHSA-frqg-7g38-6gcfghsax_refsource_CONFIRMWEB
- www.sonarsource.com/blog/securing-developer-tools-package-managersghsaWEB
- www.sonarsource.com/blog/securing-developer-tools-package-managers/mitrex_refsource_MISC
- www.tenable.com/security/tns-2022-09ghsaWEB
News mentions
0No linked articles in our index yet.