Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.

The remote Debian 10 host has a package installed that is affected by a vulnerability as referenced in the dla-3777 advisory.

  - Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible     server where the composer.phar can be executed as a php file may be subject to a remote code execution     vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27     patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure     `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not     best practice. (CVE-2023-43655)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-d5ab1f0b44 advisory.

    **Version 2.6.5** -  2023-10-06

      * Fixed error when vendor dir contains broken symlinks (#11670)
      * Fixed composer.lock missing from Composer's zip archives (#11674)
      * Fixed AutoloadGenerator::dump() non-BC signature change in 2.6.4 (cb363b0e8)



    ----

    **Version 2.6.4** -  2023-09-29

      * Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible,     executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / **CVE-2023-43655**)
      * Fixed json output of abandoned packages in audit command (#11647)
      * Performance improvement in pool optimization step (#11638)
      * Performance improvement in `show -a <packagename>` (#11659)



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2023-384 advisory.

    Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible     server where the composer.phar can be executed as a php file may be subject to a remote code execution     vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27     patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure     `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not     best practice. (CVE-2023-43655)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-275c12e496 advisory.

    **Version 2.6.5** -  2023-10-06

      * Fixed error when vendor dir contains broken symlinks (#11670)
      * Fixed composer.lock missing from Composer's zip archives (#11674)
      * Fixed AutoloadGenerator::dump() non-BC signature change in 2.6.4 (cb363b0e8)



    ----

    **Version 2.6.4** -  2023-09-29

      * Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible,     executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / **CVE-2023-43655**)
      * Fixed json output of abandoned packages in audit command (#11647)
      * Performance improvement in pool optimization step (#11638)
      * Performance improvement in `show -a <packagename>` (#11659)



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-f3dedfef46 advisory.

    **Version 2.6.5** -  2023-10-06

      * Fixed error when vendor dir contains broken symlinks (#11670)
      * Fixed composer.lock missing from Composer's zip archives (#11674)
      * Fixed AutoloadGenerator::dump() non-BC signature change in 2.6.4 (cb363b0e8)



    ----

    **Version 2.6.4** -  2023-09-29

      * Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible,     executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / **CVE-2023-43655**)
      * Fixed json output of abandoned packages in audit command (#11647)
      * Performance improvement in pool optimization step (#11638)
      * Performance improvement in `show -a <packagename>` (#11659)



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2023:4041-1 advisory.

  - Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible     server where the composer.phar can be executed as a php file may be subject to a remote code execution     vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27     patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure     `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not     best practice. (CVE-2023-43655)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 33922b84-5f09-11ee-b63d-0897988a1c07 advisory.

  - Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible     server where the composer.phar can be executed as a php file may be subject to a remote code execution     vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27     patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure     `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not     best practice. (CVE-2023-43655)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
192620	Debian dla-3777 : composer - security update	Nessus	Debian Local Security Checks	high
185252	Fedora 39 : composer (2023-d5ab1f0b44)	Nessus	Fedora Local Security Checks	high
183803	Amazon Linux 2023 : composer (ALAS2023-2023-384)	Nessus	Amazon Linux Local Security Checks	high
183097	Fedora 37 : composer (2023-275c12e496)	Nessus	Fedora Local Security Checks	high
183096	Fedora 38 : composer (2023-f3dedfef46)	Nessus	Fedora Local Security Checks	high
182904	SUSE SLES15 / openSUSE 15 Security Update : php-composer2 (SUSE-SU-2023:4041-1)	Nessus	SuSE Local Security Checks	high
182378	FreeBSD : Remote Code Execution via web-accessible composer (33922b84-5f09-11ee-b63d-0897988a1c07)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2023-43655

high

Tenable Plugins

high

high

high

high

high

high

high