{"id":"USN-7603-1","summary":"composer vulnerabilities","details":"Thomas Chauchefoin discovered that Composer did not correctly handle\ncertain arguments. An attacker could possibly use this issue to execute\narbitrary code. This issue only affected Ubuntu 16.04 LTS,\nUbuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.\n(CVE-2022-24828, CVE-2023-43655)\n\nEd Cradock discovered that Composer did not correctly handle the exclusion\nof certain files. An attacker could possibly use this issue to execute\narbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2024-24821)\n\nMartin Haunschmid discovered that Composer did not correctly handle git\nbranch names. An attacker could possibly use this issue to execute\narbitrary code. (CVE-2024-35241)\n\nMaciej Piechota discovered that Composer did not correctly handle VCS\nbranch names. An attacker could possibly use this issue to execute\narbitrary code. (CVE-2024-35242)","modified":"2026-05-20T16:06:15.557957214Z","published":"2025-06-30T04:29:26Z","related":["UBUNTU-CVE-2022-24828","UBUNTU-CVE-2023-43655","UBUNTU-CVE-2024-24821","UBUNTU-CVE-2024-35241","UBUNTU-CVE-2024-35242"],"upstream":["CVE-2022-24828","CVE-2023-43655","CVE-2024-24821","CVE-2024-35241","CVE-2024-35242","UBUNTU-CVE-2022-24828","UBUNTU-CVE-2023-43655","UBUNTU-CVE-2024-24821","UBUNTU-CVE-2024-35241","UBUNTU-CVE-2024-35242"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7603-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-24828"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-43655"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-24821"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-35241"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-35242"}],"affected":[{"package":{"name":"composer","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/composer?arch=source&distro=esm-infra-legacy%2Fxenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.0.0~beta2-1ubuntu0.1~esm2"}]}],"versions":["1.0.0~alpha10+20150602-1","1.0.0~alpha10+20150602-2","1.0.0~alpha11-1","1.0.0~alpha11-1ubuntu1","1.0.0~alpha11-2","1.0.0~alpha11-3","1.0.0~beta1-1ubuntu1","1.0.0~beta2-1","1.0.0~beta2-1ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.0.0~beta2-1ubuntu0.1~esm2","binary_name":"composer"}],"availability":"Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7603-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:16.04:LTS","cves":[]}}},{"package":{"name":"composer","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/composer?arch=source&distro=esm-apps%2Fbionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.3-1ubuntu0.1~esm2"}]}],"versions":["1.5.1-1","1.5.2-1","1.6.2-1","1.6.3-1","1.6.3-1ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.6.3-1ubuntu0.1~esm2","binary_name":"composer"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7603-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:18.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-24828"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2023-43655"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-35241"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-35242"}]}}},{"package":{"name":"composer","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/composer?arch=source&distro=esm-apps%2Ffocal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.10.1-1ubuntu0.1~esm2"}]}],"versions":["1.9.0-2","1.9.1-1","1.9.2-1","1.9.3-1","1.10.0-1","1.10.1-1","1.10.1-1ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.10.1-1ubuntu0.1~esm2","binary_name":"composer"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7603-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:20.04:LTS","cves":[{"id":"CVE-2022-24828","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2023-43655"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-35241"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-35242"}]}}},{"package":{"name":"composer","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/composer?arch=source&distro=esm-apps%2Fjammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.6-2ubuntu4+esm1"}]}],"versions":["2.0.9-2ubuntu2","2.0.9-2ubuntu3","2.0.13-1ubuntu1","2.1.12-1ubuntu1","2.2.6-2ubuntu4"],"ecosystem_specific":{"binaries":[{"binary_version":"2.2.6-2ubuntu4+esm1","binary_name":"composer"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7603-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:22.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-24828"},{"id":"CVE-2023-43655","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2024-24821","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-35241"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-35242"}]}}},{"package":{"name":"composer","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/composer?arch=source&distro=esm-apps%2Fnoble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.1-2ubuntu0.1~esm1"}]}],"versions":["2.5.8-1","2.6.5-1","2.6.6-1","2.7.1-2"],"ecosystem_specific":{"binaries":[{"binary_version":"2.7.1-2ubuntu0.1~esm1","binary_name":"composer"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7603-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:24.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-35241"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2024-35242"}]}}}],"schema_version":"1.7.5"}