FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-11-16 12:24:49 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
33ba2241-c68e-11ee-9ef3-001999f8d30bComposer -- Code execution and possible privilege escalation

Copmposer reports:

Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php.

Several files within the local working directory are included during the invocation of Composer and in the context of the executing user.

As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.

All Composer CLI commands are affected, including composer.phar's self-update.


Discovery 2024-02-08
Entry 2024-02-08
php81-composer
< 2.7.0

php82-composer
< 2.7.0

php83-composer
< 2.7.0

CVE-2024-24821
https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h
5f608c68-276c-11ef-8caa-0897988a1c07Composer -- Multiple command injections via malicious git/hg branch names

Composer project reports:

The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.


Discovery 2024-06-10
Entry 2024-06-10
php81-composer
< 2.7.7

php82-composer
< 2.7.7

php83-composer
< 2.7.7

CVE-2024-35241
https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c
CVE-2024-35242
https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf