Name | CVE-2021-41116 |
Description | Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has been resolved in composer versions 1.10.23 and 2.1.9. There are no workarounds for this issue. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
composer (PTS) | stretch (security) | 1.2.2-1+deb9u1 | fixed |
| stretch (lts), stretch | 1.2.2-1+deb9u3 | fixed |
| buster (security), buster, buster (lts) | 1.8.4-1+deb10u4 | fixed |
| bullseye (security), bullseye | 2.0.9-2+deb11u4 | fixed |
| bookworm (security), bookworm | 2.5.5-1+deb12u2 | fixed |
| sid, trixie | 2.8.4-1 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|
composer | source | (unstable) | (not affected) | | | |
Notes
- composer <not-affected> (Only affects Windows)
https://github.com/composer/composer/security/advisories/GHSA-frqg-7g38-6gcf
https://github.com/composer/composer/commit/ca5e2f8d505fd3bfac6f7c85b82f2740becbc0aa