High Risk Vulnerability in Composer

Photo of Arrows Pointing to PHP

Recently, several notable software vulnerabilities discovered by security researchers and developers have made their way to the software vulnerability annals. Some rather concerning high-profile data breaches have been part of the latest news as well, like those affecting Twitch and on an even grander scale, Facebook -which suffered a historic 6-hour outage just the other day.

Particularly notable in the cybersecurity milieu seems to be an uptick in software vulnerabilities concerning open-source software or components, such as those attached to fundamental source programming. Recently, trends show that risky software weaknesses affecting the widely-used programming language PHP and its related components are on the rise.

This time, a high-risk software vulnerability affecting PHP dependency management tool Composer was reported by SonarSource developer Paul Gerste, on October 5th, 2021. Composer is a package manager that is very popular among developers.

What is PHP?

PHP is a major server-side programming language utilized largely in the web development/HTML environment. A vast amount of servers and major operating systems support the usage and development of PHP. Almost 80% of all websites utilize PHP, like content management platforms (CMS) WordPress, Joomla, and MediaWiki (Wikipedia’s building blocks) which are written in PHP script. Even though this is an old programming language that may be slightly declining, it will certainly still be around for some time.

What is Composer?

Composer is what is known as a ‘dependency management’ tool, or simply put a smart package manager for PHP. In layman’s terms, a package manager like Composer simplifies the use of libraries with PHP for each undertaken project. Without Composer, using PHP would be a mess, as the user would have to import bits and pieces of library elements manually. This is why Composer can manage packages that the project is dependent on, hence dependency management.

The High-Risk Software Vulnerability

On October 5th, 2021 a high-risk command injection software vulnerability was posted on the GitHub repository. The vulnerability could lead to the complete compromise of a vulnerable (un-updated) system.

Technical Details

Command injection vulnerability CVE-2021-41116 allows a remote attacker to execute arbitrary commands on the target system. The vulnerability exists due to improper input validation on Windows. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system. Successful exploitation of this vulnerability may result in the complete compromise of a vulnerable system.

Vulnerable Versions

The following version of Composer is vulnerable;

Composer: 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.10.9, 1.10.10, 1.10.11,  1.10.12, 1.10.13, 1.10.14, 1.10.15, 1.10.16, 1.10.17, 1.10.18, 1.10.19, 1.10.20, 1.10.21, 1.10.22, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8

Important Information For Users

Composer users should know that a fix has been released. Composer versions 1.10.23 and 2.1.9 fix the issue and should be updated immediately via this page under ‘Manual Download’ for versions 1. x or 2. x.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.