CVE-2024-35242: 
PHP vulnerability analysis and mitigation

Composer, a dependency manager for PHP, disclosed a critical security vulnerability (CVE-2024-35242) affecting versions prior to 2.2.24 and 2.7.7. The vulnerability involves a command injection flaw where specially crafted branch names in git/hg repositories can lead to command injection when running the composer install command. This vulnerability requires cloning untrusted repositories to be exploitable (GitHub Advisory).

The vulnerability is classified as a command injection vulnerability (CWE-77) with a CVSS v3.1 base score of 8.8 (HIGH), and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue specifically affects the composer install command when executed inside a git or hg repository containing maliciously crafted branch names (NVD).

If successfully exploited, this vulnerability could allow attackers to execute arbitrary code on affected systems through command injection. The high CVSS score indicates potential for significant impact on system confidentiality, integrity, and availability when exploited (GitHub Advisory).

Two primary mitigation options are available: 1) Upgrade to patched versions - version 2.2.24 for 2.2 LTS or 2.7.7 for mainline, 2) As a workaround, avoid cloning potentially compromised repositories (Security Online, Fedora Update).