CVE-2015-8371

HIGH

Composer <2016-02-10 - Cache Poisoning

Title source: llm

Description

Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the package name, the dist type, and certain other data from the package repository (which may simply be a commit hash, and thus can be found by an attacker). Versions through 1.0.0-alpha11 are affected, and 1.0.0 is unaffected.

References (4)

Core 4

Core References

Exploit, Third Party Advisory

https://flyingmana.de/blog_en/2016/02/14/composer_cache_injection_vulnerability_cve_2015_8371.html

Third Party Advisory

https://github.com/FriendsOfPHP/security-advisories/blob/e26be423c5bcfdb38478d2f92d1f928c15afb561/composer/composer/CVE-2015-8371.yaml

View Writeup ZIP pw:eip

Product

https://github.com/composer/composer

Third Party Advisory

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2015-8371.yml

View Writeup ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0070

EPSS Percentile 48.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-345

Status published

Products (2)

composer/composer 0 - 1.0.0Packagist

getcomposer/composer 1.0.0 alpha1 (11 CPE variants)

Published Sep 21, 2023

Tracked Since Feb 18, 2026