FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-29 10:45:39 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
33ba2241-c68e-11ee-9ef3-001999f8d30b	Composer -- Code execution and possible privilege escalation Copmposer reports: Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php. Several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar's self-update. Discovery 2024-02-08 Entry 2024-02-08 php81-composer < 2.7.0 php82-composer < 2.7.0 php83-composer < 2.7.0 CVE-2024-24821 https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h
33922b84-5f09-11ee-b63d-0897988a1c07	Remote Code Execution via web-accessible composer Composer project reports: Description: Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has register_argc_argv enabled in php.ini. Workaround: Make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen. Discovery 2023-09-29 Entry 2023-09-29 Modified 2023-09-30 php80-composer < 1.10.27 gt 2.0.0 lt 2.6.4 php81-composer < 1.10.27 gt 2.0.0 lt 2.6.4 php82-composer < 1.10.27 gt 2.0.0 lt 2.6.4 php83-composer < 1.10.27 gt 2.0.0 lt 2.6.4 php80-composer2 < 2.6.4 php81-composer2 < 2.6.4 php82-composer2 < 2.6.4 php83-composer2 < 2.6.4 CVE-2023-43655 https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf

VuXML ID

Description

33ba2241-c68e-11ee-9ef3-001999f8d30b

Composer -- Code execution and possible privilege escalation

Copmposer reports:

Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php.

Several files within the local working directory are included during the invocation of Composer and in the context of the executing user.

As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.

All Composer CLI commands are affected, including composer.phar's self-update.

Discovery 2024-02-08
Entry 2024-02-08
php81-composer

< 2.7.0

php82-composer

< 2.7.0

php83-composer

< 2.7.0

CVE-2024-24821
https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h

33922b84-5f09-11ee-b63d-0897988a1c07

Remote Code Execution via web-accessible composer

Composer project reports:

Description: Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has register_argc_argv enabled in php.ini.

Workaround: Make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.

Discovery 2023-09-29
Entry 2023-09-29
Modified 2023-09-30
php80-composer

< 1.10.27

gt 2.0.0 lt 2.6.4

php81-composer

< 1.10.27

gt 2.0.0 lt 2.6.4

php82-composer

< 1.10.27

gt 2.0.0 lt 2.6.4

php83-composer

< 1.10.27

gt 2.0.0 lt 2.6.4

php80-composer2

< 2.6.4

php81-composer2

< 2.6.4

php82-composer2

< 2.6.4

php83-composer2

< 2.6.4

CVE-2023-43655
https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf