Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
Cover-My-Behind Disclaimer:
Discussed this with @longwave from the Security Team and this CVE was found suitable to be handled in public.
https://github.com/advisories/GHSA-7c6p-848j-wh5h
https://www.cve.org/CVERecord?id=CVE-2024-24821
Steps to reproduce
$ composer audit
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+------------------------------------------------------------------------+
| Package | composer/composer |
| CVE | CVE-2024-24821 |
| Title | Composer code execution and possible privilege escalation via compromised |
| | InstalledVersions.php or installed.php |
| URL | https://github.com/advisories/GHSA-7c6p-848j-wh5h |
| Affected versions | >=2.3.0-rc1,<2.7.0|>=2.0.0-alpha1,<2.2.23 |
| Reported at | 2024-02-08T15:06:38+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Proposed resolution
Update composer/composer to latest and bump the version constraint in composer.json to ^2.7.
Remaining tasks
User interface changes
API changes
Data model changes
Release notes snippet
Issue fork drupal-3421371
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #5
spokjeComment #6
smustgrave commentedBump seems fine, not sure what to fully test but everything appears green. Locally didn't break anything.
Comment #10
longwaveCommitted and pushed to all three active branches, thanks!