In the Dependency Manager Composer detected critical vulnerability (CVE-2021- 29472), which allows you to perform arbitrary commands in the system when processing a package with a specially decorated URL value, which determines the address to download the source texts. The problem is manifested in the components of the GitDriver, SVNDRIVER and HGDRIVER, used when using the initial text management systems Git, Subversion and Mercurial. The vulnerability is eliminated in the releases of Composer 1.10.22 and 2.0.13 .
It is particularly noted that the problem mainly affected the default package repositories used in Composer packagist , numbering 306 thousand packages for developers in PHP and monthly serving more than 1.4 billion downloads. During the experiment, it was shown that in case of information about the problem, the attackers could get control of the Packagist infrastructure and intercept the credentials of the accompanying or redirect the loading of the packets on a third-party server, having arranged package options for malicious changes to substitute backdoor during the dependency setting.
Danger for end users is limited by the fact that the contents of composer.json is usually determined by the user itself, and the references to the source texts are transmitted when contacting third-party repositories, usually deserving confidence. The main blow came on the Packagist.org repository and the Private Packagist service that calls Composer with data transfer received from users. The attackers could execute their code on Packagist servers placing a specially decorated package.
The Packagist team eliminated a vulnerability within 12 hours after the vulnerability report arrives. The researchers in private notified the developers of Packagist on April 22 and on the same day the problem was corrected. Public update Composer with the elimination of vulnerability was published on April 27, and the details were disclosed on April 28. Log audit on Packagist servers did not reveal related to the vulnerability of suspicious activity.
The problem is caused by an error in the URL correctness verification code in the COMPOSER.JSON root file and links to download the source texts. Error is present