FreeBSD: VID-33922B84-5F09-11EE-B63D-0897988A1C07 (CVE-2023-43655): Remote Code Execution via web-accessible composer
Description
Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.
Solution(s)
- freebsd-upgrade-package-php80-composer
- freebsd-upgrade-package-php80-composer2
- freebsd-upgrade-package-php81-composer
- freebsd-upgrade-package-php81-composer2
- freebsd-upgrade-package-php82-composer
- freebsd-upgrade-package-php82-composer2
- freebsd-upgrade-package-php83-composer
- freebsd-upgrade-package-php83-composer2
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center