VDB
CVE-2015-8371
CVE-2015-8371
REJECTED
Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the package name, the dist type, and certain other data from the package repository (which may simply be a commit hash, and thus can be found by an attacker). Versions through 1.0.0-alpha11 are affected, and 1.0.0 is unaffected.
EPSS 0.74% · 73.2th percentile
Risk Scores
EPSS Score
0.74%
73.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | composer | 1.0.0~alpha10+20150602-1, 1.0.0~alpha10+20150602-2, 1.0.0~alpha11-1 |
Exploit Intelligence
- https://github.com/FriendsOfPHP/security-advisories/blob/e26be423c5bcfdb38478d2f92d1f928c15afb561/composer/composer/CVE-2015-8371.yaml (circl)
- https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2015-8371.yml (circl)
- https://github.com/composer/composer (circl)
- https://flyingmana.de/blog_en/2016/02/14/composer_cache_injection_vulnerability_cve_2015_8371.html (vulncheck-nvd)
Timeline
- Feb 10, 2016 CVE Published
- Sep 22, 2023 EPSS Score
- Oct 24, 2023 EPSS Score
- Dec 27, 2023 EPSS Score
- Jan 29, 2024 EPSS Score
- Apr 2, 2024 EPSS Score
- May 4, 2024 EPSS Score
- Jun 5, 2024 EPSS Score
- Aug 8, 2024 EPSS Score
- Sep 10, 2024 EPSS Score
- Oct 12, 2024 EPSS Score
- Dec 16, 2024 EPSS Score
References
- https://ubuntu.com/security/CVE-2015-8371 third-party-advisory
- http://flyingmana.de/blog_en/2016/02/14/composer_cache_injection_vulnerability_cve_2015_8371.html third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2015-8371 third-party-advisory