Security News > 2021 > April > A New PHP Composer Bug Could Enable Widespread Supply-Chain Attacks
The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and "Backdoor every PHP package," resulting in a supply-chain attack.
"Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders," Composer said its release notes for versions 2.0.13 and 1.10.22 published on Wednesday.
Composer is billed as a tool for dependency management in PHP, enabling easy installation of packages relevant to a project.
It also allows users to install PHP applications that are available on Packagist, a repository that aggregates all public PHP packages installable with Composer.
The first "Alpha" version of Composer was released on July 3, 2013.
"The impact to Composer users directly is limited as the composer.json file is typically under their own control and source download URLs can only be supplied by third party Composer repositories they explicitly trust to download and execute source code from, e.g. Composer plugins," Jordi Boggiano, one of the primary developers behind Composer, said.
News URL
Related news
- Supply Chain Attacks Can Exploit Entry Points in Python, npm, and Open-Source Ecosystems (source)
- LottieFiles hit in npm supply chain attack targeting users' crypto (source)
- LottieFiles hacked in supply chain attack to steal users’ crypto (source)
- LottieFiles supply chain attack exposes users to malicious crypto wallet drainer (source)