Home > Vulnerability Database > CVE-2023-43655

Mend.io Vulnerability Database

CVE-2023-43655

Date: September 29, 2023

Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has "register_argc_argv" enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure "register_argc_argv" is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.

Language: PHP

Severity Score

6.4

Related Resources (15)

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE

Url: https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c

Url: https://security-tracker.debian.org/tracker/CVE-2023-43655

Url: https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d

Url: https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2

Url: https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-43655

Url: https://github.com/composer/composer

Url: https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG

Url: https://www.mend.io/vulnerability-database/CVE-2023-43655

Severity Score

6.4

Weakness Type (CWE)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

CVSS v3.1

Base Score:	6.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-43655

Date: September 29, 2023

Language: PHP

Severity Score

Related Resources (15)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?