usn-7603-1
Vulnerability from osv_ubuntu
Thomas Chauchefoin discovered that Composer did not correctly handle certain arguments. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-24828, CVE-2023-43655)
Ed Cradock discovered that Composer did not correctly handle the exclusion of certain files. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2024-24821)
Martin Haunschmid discovered that Composer did not correctly handle git branch names. An attacker could possibly use this issue to execute arbitrary code. (CVE-2024-35241)
Maciej Piechota discovered that Composer did not correctly handle VCS branch names. An attacker could possibly use this issue to execute arbitrary code. (CVE-2024-35242)
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2022-24828",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-43655",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2024-35241",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2024-35242",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:16.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "composer",
"binary_version": "1.0.0~beta2-1ubuntu0.1~esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "composer",
"purl": "pkg:deb/ubuntu/composer@1.0.0~beta2-1ubuntu0.1~esm2?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0~beta2-1ubuntu0.1~esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0.0~alpha10+20150602-1",
"1.0.0~alpha10+20150602-2",
"1.0.0~alpha11-1",
"1.0.0~alpha11-1ubuntu1",
"1.0.0~alpha11-2",
"1.0.0~alpha11-3",
"1.0.0~beta1-1ubuntu1",
"1.0.0~beta2-1",
"1.0.0~beta2-1ubuntu0.1~esm1"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2022-24828",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-43655",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2024-35241",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2024-35242",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:18.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "composer",
"binary_version": "1.6.3-1ubuntu0.1~esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "composer",
"purl": "pkg:deb/ubuntu/composer@1.6.3-1ubuntu0.1~esm2?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.3-1ubuntu0.1~esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5.1-1",
"1.5.2-1",
"1.6.2-1",
"1.6.3-1",
"1.6.3-1ubuntu0.1~esm1"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2022-24828",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-43655",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2024-35241",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2024-35242",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:20.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "composer",
"binary_version": "1.10.1-1ubuntu0.1~esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "composer",
"purl": "pkg:deb/ubuntu/composer@1.10.1-1ubuntu0.1~esm2?arch=source\u0026distro=esm-apps/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.1-1ubuntu0.1~esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.9.0-2",
"1.9.1-1",
"1.9.2-1",
"1.9.3-1",
"1.10.0-1",
"1.10.1-1",
"1.10.1-1ubuntu0.1~esm1"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2022-24828",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2023-43655",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2024-24821",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2024-35241",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2024-35242",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:22.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "composer",
"binary_version": "2.2.6-2ubuntu4+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:22.04:LTS",
"name": "composer",
"purl": "pkg:deb/ubuntu/composer@2.2.6-2ubuntu4+esm1?arch=source\u0026distro=esm-apps/jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.6-2ubuntu4+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.0.9-2ubuntu2",
"2.0.9-2ubuntu3",
"2.0.13-1ubuntu1",
"2.1.12-1ubuntu1",
"2.2.6-2ubuntu4"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2024-35241",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2024-35242",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:24.04:LTS"
}
},
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "composer",
"binary_version": "2.7.1-2ubuntu0.1~esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:24.04:LTS",
"name": "composer",
"purl": "pkg:deb/ubuntu/composer@2.7.1-2ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.1-2ubuntu0.1~esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.5.8-1",
"2.6.5-1",
"2.6.6-1",
"2.7.1-2"
]
}
],
"aliases": [],
"details": "Thomas Chauchefoin discovered that Composer did not correctly handle\ncertain arguments. An attacker could possibly use this issue to execute\narbitrary code. This issue only affected Ubuntu 16.04 LTS,\nUbuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.\n(CVE-2022-24828, CVE-2023-43655)\n\nEd Cradock discovered that Composer did not correctly handle the exclusion\nof certain files. An attacker could possibly use this issue to execute\narbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2024-24821)\n\nMartin Haunschmid discovered that Composer did not correctly handle git\nbranch names. An attacker could possibly use this issue to execute\narbitrary code. (CVE-2024-35241)\n\nMaciej Piechota discovered that Composer did not correctly handle VCS\nbranch names. An attacker could possibly use this issue to execute\narbitrary code. (CVE-2024-35242)",
"id": "USN-7603-1",
"modified": "2026-06-25T10:46:52Z",
"published": "2025-06-30T04:29:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7603-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-24828"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-43655"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2024-24821"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2024-35241"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2024-35242"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "composer vulnerabilities",
"upstream": [
"UBUNTU-CVE-2022-24828",
"UBUNTU-CVE-2023-43655",
"UBUNTU-CVE-2024-24821",
"UBUNTU-CVE-2024-35241",
"UBUNTU-CVE-2024-35242"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.