How severe is CVE-2021-29472?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.8 out of 10.

What type of vulnerability is CVE-2021-29472?

This is classified as CWE-88, which is a common weakness in software security.

CVE-2021-29472

HIGH Year: 2021

CVSS v3 Score

8.8

High

CVSS v2 Score

6.5

Medium

Weakness Type

CWE-88

View all →

Vulnerability Description

Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system. The impact to Composer users directly is limited as the composer.json file is typically under their own control and source download URLs can only be supplied by third party Composer repositories they explicitly trust to download and execute source code from, e.g. Composer plugins. The main impact is to services passing user input to Composer, including Packagist.org and Private Packagist. This allowed users to trigger remote code execution. The vulnerability has been patched on Packagist.org and Private Packagist within 12h of receiving the initial vulnerability report and based on a review of logs, to the best of our knowledge, was not abused by anyone. Other services/tools using VcsRepository/VcsDriver or derivatives may also be vulnerable and should upgrade their composer/composer dependency immediately. Versions 1.10.22 and 2.0.13 include patches for this issue.

CVE-2018-20234

HIGH

CVSS:8.8(High)

There was an argument injection vulnerability in Atlassian Sourcetree for macOS from version 1.2 before version 3.1.1 via filenames in Mercurial repositories. A remote attacker with permission to comm...

CWE-882018

CVE-2019-11582

HIGH

CVSS:8.8(High)

An argument injection vulnerability in Atlassian Sourcetree for Windows's URI handlers, in all versions prior to 3.1.3, allows remote attackers to gain remote code execution through the use of a craft...

CWE-882019

CVE-2019-11751

HIGH

CVSS:8.8(High)

Logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks on malicious links in a chat application. This can be used to...

CWE-882019

CVE-2019-13475

HIGH

CVSS:8.8(High)

In MobaXterm 11.1, the mobaxterm: URI handler has an argument injection vulnerability that allows remote attackers to execute arbitrary commands when the user visits a specially crafted URL. Based on ...

CWE-882019

CVE-2019-15498

HIGH

CVSS:8.8(High)

cgi-bin/cmh/webcam.sh in Vera Edge Home Controller 1.7.4452 allows remote unauthenticated users to execute arbitrary OS commands via --output argument injection in the username parameter to /cgi-bin/c...

CWE-882019

CVE-2019-3931

HIGH

CVSS:8.8(High)

Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to argumention injection to the curl binary via crafted HTTP requests to return.cgi. A remote, authenticated attac...

CWE-882019

CVE-2021-29472

Vulnerability Description

Related Vulnerabilities

CVE-2018-20234

CVE-2019-11582

CVE-2019-11751

CVE-2019-13475

CVE-2019-15498

CVE-2019-3931