Severity

Medium

Analysis Summary

CVE-2021-29472

A command chain injection flaw in PHP Composer allows attackers to execute arbitrary commands and establish backdoors in every PHP package. The vulnerability has the potential to be exploited to conduct supply-chain attacks.

The vulnerability is caused by improper sanitization of URLs for repositories in root composer.json files and package source download URLs that could be interpreted as options for system commands executed by Composer.

Impact

Privilege Escalation

Affected Vendors

Composer

Affected Products

Composer up to 1.10.21/2.0.12

Remediation

Download the latest patches and upgrade to version 1.10.22 or 2.0.13 from https://github.com/composer/composer/releases/tag/2.0.13