Main Vulnerability Database Vulnerabilities #VU86276

Incorrect default permissions in composer - CVE-2024-24821

Published: February 8, 2024

Vulnerability identifier: #VU86276

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-24821

CWE-ID: CWE-276

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
composer

Software vendor:
getcomposer.org

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to several files within the local working directory are included during the invocation of Composer and in the context of the executing user. A local user can execute arbitrary code with elevated privileges via the compromised InstalledVersions.php or installed.php files.

Remediation

Install updates from vendor's website.

External links

https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h

Incorrect default permissions in composer - CVE-2024-24821

Description

Remediation

External links

Please verify you're human