Bugzilla – Bug 1215859
VUL-0: CVE-2023-43655: php-composer2: composer: Remote Code Execution via web-accessible composer.phar
Last modified: 2024-05-29 17:56:51 UTC
Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-43655
Submit into develproject: https://build.opensuse.org/request/show/1114790 Also submitted for 15sp4/php-composer2.
Submitted also into Factory. I believe all fixed.
This is an autogenerated message for OBS integration: This bug (1215859) was mentioned in https://build.opensuse.org/request/show/1114950 Factory / php-composer2
SUSE-SU-2023:4041-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1215859 CVE References: CVE-2023-43655 Sources used: openSUSE Leap 15.4 (src): php-composer2-2.2.3-150400.3.6.1 openSUSE Leap 15.5 (src): php-composer2-2.2.3-150400.3.6.1 Web and Scripting Module 15-SP4 (src): php-composer2-2.2.3-150400.3.6.1 Web and Scripting Module 15-SP5 (src): php-composer2-2.2.3-150400.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.