Composer vulnerable to command injection via malicious git branch name

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

在命令中使用的特殊元素转义处理不恰当(命令注入)

composer 安全漏洞

composer是一个应用软件。提供一个声明，管理和安装PHP项目的依赖项。 composer 2.2.24 和 2.7.7 之前版本存在安全漏洞，该漏洞源于可以使用 status、reinstall 和 remove命令以及通过 git 从源码安装的包含存储库中特制分支名称的软件包来执行代码。

N/A

N/A