Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.

The remote SUSE Linux SLES15 / SLES_SAP15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2022:3020-1 advisory.

  - Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call     `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or     `$identifier` argument. This leads to a vulnerability on packagist.org for example where the     composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the     `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does     not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it     does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our     knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private     Packagist within a day of the vulnerability report. (CVE-2022-24828)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:0132-1 advisory.

  - Composer is an open source dependency manager for the PHP language. In affected versions windows users     running Composer to install untrusted dependencies are subject to command injection and should upgrade     their composer version. Other OSs and WSL are not affected. The issue has been resolved in composer     versions 1.10.23 and 2.1.9. There are no workarounds for this issue. (CVE-2021-41116)

  - Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call     `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or     `$identifier` argument. This leads to a vulnerability on packagist.org for example where the     composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the     `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does     not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it     does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our     knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private     Packagist within a day of the vulnerability report. (CVE-2022-24828)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is less than 5.21.0 and is therefore affected by multiple vulnerabilities:

    - A command injection vulnerability exists in Composer. An unauthenticated, remote attacker can exploit this       to execute arbitrary commands by installing untrusted dependencies. (CVE-2021-41116)     
    - A code injection vulnerability exists in Composer. An unauthenticated, remote attacker can exploit this       to execute arbitrary commands by controlling the $file or $identifier argument. (CVE-2022-24828)     
    - Read/write beyond bounds - Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to       overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version       2.4.52 and prior versions. (CVE-2022-23943)   Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 24a9bd2b-bb43-11ec-af81-0897988a1c07 advisory.

  - Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call     `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or     `$identifier` argument. This leads to a vulnerability on packagist.org for example where the     composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the     `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does     not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it     does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our     knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private     Packagist within a day of the vulnerability report. (CVE-2022-24828)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
164692	SUSE SLES15 Security Update : php-composer2 (SUSE-SU-2022:3020-1)	Nessus	SuSE Local Security Checks	high
160972	openSUSE 15 Security Update : php-composer (openSUSE-SU-2022:0132-1)	Nessus	SuSE Local Security Checks	critical
160883	Tenable SecurityCenter < 5.21.0 Multiple Vulnerabilities (TNS-2022-09)	Nessus	Misc.	critical
159723	FreeBSD : Composer -- Command injection vulnerability (24a9bd2b-bb43-11ec-af81-0897988a1c07)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2022-24828

high

Tenable Plugins

high

critical

critical

high