FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-29 10:45:39 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
24a9bd2b-bb43-11ec-af81-0897988a1c07	Composer -- Command injection vulnerability Composer developers reports: The Composer method VcsDriver::getFileContent() with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used. Discovery 2022-04-13 Entry 2022-04-13 php74-composer php80-composer php81-composer < 1.10.26 php74-composer2 php80-composer2 php81-composer2 ge 2.0.0 lt 2.2.12 ge 2.3.0 lt 2.3.5 CVE-2022-24828 https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6
33ba2241-c68e-11ee-9ef3-001999f8d30b	Composer -- Code execution and possible privilege escalation Copmposer reports: Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php. Several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar's self-update. Discovery 2024-02-08 Entry 2024-02-08 php81-composer < 2.7.0 php82-composer < 2.7.0 php83-composer < 2.7.0 CVE-2024-24821 https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h
33922b84-5f09-11ee-b63d-0897988a1c07	Remote Code Execution via web-accessible composer Composer project reports: Description: Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has register_argc_argv enabled in php.ini. Workaround: Make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen. Discovery 2023-09-29 Entry 2023-09-29 Modified 2023-09-30 php80-composer < 1.10.27 gt 2.0.0 lt 2.6.4 php81-composer < 1.10.27 gt 2.0.0 lt 2.6.4 php82-composer < 1.10.27 gt 2.0.0 lt 2.6.4 php83-composer < 1.10.27 gt 2.0.0 lt 2.6.4 php80-composer2 < 2.6.4 php81-composer2 < 2.6.4 php82-composer2 < 2.6.4 php83-composer2 < 2.6.4 CVE-2023-43655 https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf

VuXML ID

Description

24a9bd2b-bb43-11ec-af81-0897988a1c07

Composer -- Command injection vulnerability

Composer developers reports:

The Composer method VcsDriver::getFileContent() with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used.

Discovery 2022-04-13
Entry 2022-04-13
php74-composer
php80-composer
php81-composer

< 1.10.26

php74-composer2
php80-composer2
php81-composer2

ge 2.0.0 lt 2.2.12

ge 2.3.0 lt 2.3.5

CVE-2022-24828
https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6

33ba2241-c68e-11ee-9ef3-001999f8d30b

Composer -- Code execution and possible privilege escalation

Copmposer reports:

Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php.

Several files within the local working directory are included during the invocation of Composer and in the context of the executing user.

As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.

All Composer CLI commands are affected, including composer.phar's self-update.

Discovery 2024-02-08
Entry 2024-02-08
php81-composer

< 2.7.0

php82-composer

< 2.7.0

php83-composer

< 2.7.0

CVE-2024-24821
https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h

33922b84-5f09-11ee-b63d-0897988a1c07

Remote Code Execution via web-accessible composer

Composer project reports:

Description: Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has register_argc_argv enabled in php.ini.

Workaround: Make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.

Discovery 2023-09-29
Entry 2023-09-29
Modified 2023-09-30
php80-composer

< 1.10.27

gt 2.0.0 lt 2.6.4

php81-composer

< 1.10.27

gt 2.0.0 lt 2.6.4

php82-composer

< 1.10.27

gt 2.0.0 lt 2.6.4

php83-composer

< 1.10.27

gt 2.0.0 lt 2.6.4

php80-composer2

< 2.6.4

php81-composer2

< 2.6.4

php82-composer2

< 2.6.4

php83-composer2

< 2.6.4

CVE-2023-43655
https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf