CVE-2024-35241: 
PHP vulnerability analysis and mitigation

Composer, a dependency manager for PHP, disclosed a critical security vulnerability (CVE-2024-35241) affecting versions prior to 2.2.24 and 2.7.7. The vulnerability was discovered in the status, reinstall, and remove commands when packages are installed from source via git containing specially crafted branch names in the repository (GitHub Advisory, NVD).

The vulnerability is classified as a command injection flaw (CWE-77) with a CVSS v3.1 base score of 8.8 (HIGH). The issue specifically affects the package management commands when interacting with git repositories containing maliciously crafted branch names, potentially leading to code execution (GitHub Advisory, Security Online).

If exploited, this vulnerability allows attackers to execute arbitrary code on affected systems through specially crafted git branch names. While popular repositories like Packagist.org are not directly vulnerable to remote code execution, users who install packages from untrusted sources could be at risk (Security Online).

Users are advised to upgrade to version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, users can avoid installing dependencies via git by using the --prefer-dist option or setting the preferred-install: dist configuration (NVD, Fedora Update).

The vulnerability has prompted immediate response from distribution maintainers, with Fedora Project quickly releasing security updates for both Fedora 39 and 40 to address the issue (Fedora Update 39, Fedora Update 40).