Rewterz Threat Advisory – CVE-2021-3156 – ICS: Johnson Controls Exacq Technologies exacqVision
April 30, 2021Rewterz Threat Advisory – CVE-2021-25215 – Red Hat Bind Vulnerability
April 30, 2021Rewterz Threat Advisory – CVE-2021-3156 – ICS: Johnson Controls Exacq Technologies exacqVision
April 30, 2021Rewterz Threat Advisory – CVE-2021-25215 – Red Hat Bind Vulnerability
April 30, 2021Severity
Medium
Analysis Summary
CVE-2021-29472
A command chain injection flaw in PHP Composer allows attackers to execute arbitrary commands and establish backdoors in every PHP package. The vulnerability has the potential to be exploited to conduct supply-chain attacks.
The vulnerability is caused by improper sanitization of URLs for repositories in root composer.json files and package source download URLs that could be interpreted as options for system commands executed by Composer.
Impact
Privilege Escalation
Affected Vendors
Composer
Affected Products
Composer up to 1.10.21/2.0.12
Remediation
Download the latest patches and upgrade to version 1.10.22 or 2.0.13 from https://github.com/composer/composer/releases/tag/2.0.13