Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.

According to its self-reported version, the Tenable Security Center running on the remote host is version 6.6.0. It is, therefore, affected by multiple vulnerabilities as referenced in the TNS-2025-20 advisory.

  - Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On     Windows, when an executable file named `cmd.exe` is located in the current working directory it will be     called by the `Process` class when preparing command arguments, leading to possible hijacking. This issue     has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are     no known workarounds for this vulnerability. (CVE-2024-51736)

  - Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting     in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in     CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51,     5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters. (CVE-2023-46734)

  - The SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. Prior to versions 4.17.0     and 5.0.0-alpha.20, there is a signature confusion attack in the HTTPRedirect binding. An attacker with     any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned     message. Versions 4.17.0 and 5.0.0-alpha.20 contain a fix for the issue. (CVE-2025-27773)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-7603-1 advisory.

    Thomas Chauchefoin discovered that Composer did not correctly handle certain arguments. An attacker could     possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04     LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-24828, CVE-2023-43655)

    Ed Cradock discovered that Composer did not correctly handle the exclusion of certain files. An attacker     could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS.
    (CVE-2024-24821)

    Martin Haunschmid discovered that Composer did not correctly handle git branch names. An attacker could     possibly use this issue to execute arbitrary code. (CVE-2024-35241)

    Maciej Piechota discovered that Composer did not correctly handle VCS branch names. An attacker could     possibly use this issue to execute arbitrary code. (CVE-2024-35242)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2024-650 advisory.

    Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the     `status`, `reinstall` and `remove` commands with packages installed from source via git containing     specially crafted branch names in the repository can be used to execute code. Patches for this issue are     available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing     dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.
    (CVE-2024-35241)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2107-1 advisory.

    - CVE-2024-35241: Fixed code execution when installing packages in repository with specially crafted     branch names (bsc#1226181).
    - CVE-2024-35242: Fixed command injection via specially crafted branch names during repository cloning     (bsc#1226182).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2106-1 advisory.

    - CVE-2024-35241: Fixed code execution when installing packages in repository with specially crafted     branch names (bsc#1226181).
    - CVE-2024-35242: Fixed command injection via specially crafted branch names during repository cloning     (bsc#1226182).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-bb55f8476a advisory.

    **Version 2.7.7** 2024-06-10

      * Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c /
    **CVE-2024-35241**)
      * Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf /
    **CVE-2024-35242**)
      * Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to     new violations being shown (#11957)
      * Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing     branches (#12000)
      * Fixed new platform requirements from composer.json not being checked if the lock file is outdated     (#12001)
      * Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
      * Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
      * Fixed perforce argument escaping (3773f775)
      * Fixed handling of zip bombs when extracting archives (de5f7e32)
      * Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding     conversion (3130a7455, 04a63b324)
      * Fixed ability for `config` command to remove autoload keys (#11967)
      * Fixed empty `type` support in `init` command (#11999)
      * Fixed git clone errors when `safe.bareRepository` is set to `strict` in the git config (#11969)
      * Fixed regression showing network errors on PHP <8.1 (#11974)
      * Fixed some color bleed from a few warnings (#11972)



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3838 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-3838-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                           Chris Lamb     June 19, 2024                                 https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : composer     Version        : 1.8.4-1+deb10u4     CVE IDs        : CVE-2024-35241 CVE-2024-35242     Debian Bugs    : 1073125 1073126

    It was discovered that there were a number of command-line injection     vulnerabilities in Composer, a popular dependency manager for PHP.

    The 'install', 'status', 'reinstall' and 'remove' functionality had     issues when used with Git or Hg repositories which used maliciously-     crafted branch names, which could have been abused to execute     arbitrary shell commands.

    For Debian 10 buster, this problem has been fixed in version     1.8.4-1+deb10u4.

    We recommend that you upgrade your composer packages.

    For the detailed security status of composer please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/composer

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-9ed24c98cd advisory.

    **Version 2.7.7** 2024-06-10

      * Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c /
    **CVE-2024-35241**)
      * Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf /
    **CVE-2024-35242**)
      * Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to     new violations being shown (#11957)
      * Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing     branches (#12000)
      * Fixed new platform requirements from composer.json not being checked if the lock file is outdated     (#12001)
      * Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
      * Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
      * Fixed perforce argument escaping (3773f775)
      * Fixed handling of zip bombs when extracting archives (de5f7e32)
      * Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding     conversion (3130a7455, 04a63b324)
      * Fixed ability for `config` command to remove autoload keys (#11967)
      * Fixed empty `type` support in `init` command (#11999)
      * Fixed git clone errors when `safe.bareRepository` is set to `strict` in the git config (#11969)
      * Fixed regression showing network errors on PHP <8.1 (#11974)
      * Fixed some color bleed from a few warnings (#11972)





Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 / 12 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-5715 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5715-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     June 18, 2024                         https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : composer     CVE ID         : CVE-2024-35241 CVE-2024-35242

    Two vulnerabilities have been discovered in Composer, a dependency     manager for PHP, which could result in arbitrary command execution by     operating on malicious git/hg repositories.

    For the oldstable distribution (bullseye), these problems have been fixed     in version 2.0.9-2+deb11u3.

    For the stable distribution (bookworm), these problems have been fixed in     version 2.5.5-1+deb12u2.

    We recommend that you upgrade your composer packages.

    For the detailed security status of composer please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/composer

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 5f608c68-276c-11ef-8caa-0897988a1c07 advisory.

    Composer project reports:
    The status, reinstall and remove commands with packages               installed from source via git containing specially crafted               branch names in the repository can be used to execute               code.
    The composer install command running inside a git/hg               repository which has specially crafted branch names can               lead to command injection. So this requires cloning               untrusted repositories.

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
266393	Tenable Security Center Multiple Vulnerabilities (TNS-2025-20)	Nessus	Misc.	high
241064	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS : Composer vulnerabilities (USN-7603-1)	Nessus	Ubuntu Local Security Checks	high
202169	Amazon Linux 2023 : composer (ALAS2023-2024-650)	Nessus	Amazon Linux Local Security Checks	high
200805	SUSE SLES15 / openSUSE 15 Security Update : php-composer2 (SUSE-SU-2024:2107-1)	Nessus	SuSE Local Security Checks	high
200802	SUSE SLES15 / openSUSE 15 Security Update : php-composer2 (SUSE-SU-2024:2106-1)	Nessus	SuSE Local Security Checks	high
200769	Fedora 39 : composer (2024-bb55f8476a)	Nessus	Fedora Local Security Checks	high
200768	Debian dla-3838 : composer - security update	Nessus	Debian Local Security Checks	high
200747	Fedora 40 : composer (2024-9ed24c98cd)	Nessus	Fedora Local Security Checks	high
200705	Debian dsa-5715 : composer - security update	Nessus	Debian Local Security Checks	high
200310	FreeBSD : Composer -- Multiple command injections via malicious git/hg branch names (5f608c68-276c-11ef-8caa-0897988a1c07)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2024-35241

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high