Security News > 2021 > April > A New PHP Composer Bug Could Enable Widespread Supply-Chain Attacks
The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and "Backdoor every PHP package," resulting in a supply-chain attack.
"Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders," Composer said its release notes for versions 2.0.13 and 1.10.22 published on Wednesday.
Composer is billed as a tool for dependency management in PHP, enabling easy installation of packages relevant to a project.
It also allows users to install PHP applications that are available on Packagist, a repository that aggregates all public PHP packages installable with Composer.
The first "Alpha" version of Composer was released on July 3, 2013.
"The impact to Composer users directly is limited as the composer.json file is typically under their own control and source download URLs can only be supplied by third party Composer repositories they explicitly trust to download and execute source code from, e.g. Composer plugins," Jordi Boggiano, one of the primary developers behind Composer, said.
News URL
Related news
- XZ Utils Supply Chain Attack: A Threat Actor Spent Two Years to Implement a Linux Backdoor (source)
- New R Programming Vulnerability Exposes Projects to Supply Chain Attacks (source)
- JAVS courtroom recording software backdoored in supply chain attack (source)
- Suspected supply chain attack backdoors courtroom recording software (source)