{ "document" : { "aggregate_severity" : { "namespace" : "https://access.redhat.com/security/updates/classification/", "text" : "Important" }, "category" : "csaf_security_advisory", "csaf_version" : "2.0", "distribution" : { "text" : "Copyright © Red Hat, Inc. All rights reserved.", "tlp" : { "label" : "WHITE", "url" : "https://www.first.org/tlp/" } }, "lang" : "en", "notes" : [ { "category" : "summary", "text" : "An update for Red Hat Hardened Images RPMs is now available.", "title" : "Topic" }, { "category" : "general", "text" : "This update includes the following RPMs:\n\ncomposer:\n * composer-2.9.7-1.hum1 (noarch)\n * composer-2.9.7-1.hum1.src (src)", "title" : "Details" }, { "category" : "legal_disclaimer", "text" : "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title" : "Terms of Use" } ], "publisher" : { "category" : "vendor", "contact_details" : "https://access.redhat.com/security/team/contact/", "issuing_authority" : "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name" : "Red Hat Product Security", "namespace" : "https://www.redhat.com" }, "references" : [ { "category" : "self", "summary" : "https://access.redhat.com/errata/RHSA-2026:8165", "url" : "https://access.redhat.com/errata/RHSA-2026:8165" }, { "category" : "external", "summary" : "https://images.redhat.com/", "url" : "https://images.redhat.com/" }, { "category" : "external", "summary" : "https://access.redhat.com/security/cve/CVE-2026-40261", "url" : "https://access.redhat.com/security/cve/CVE-2026-40261" }, { "category" : "external", "summary" : "https://access.redhat.com/security/updates/classification/", "url" : "https://access.redhat.com/security/updates/classification/" }, { "category" : "external", "summary" : "https://access.redhat.com/security/cve/CVE-2026-40176", "url" : "https://access.redhat.com/security/cve/CVE-2026-40176" }, { "category" : "external", "summary" : "https://access.redhat.com/security/cve/CVE-2025-67746", "url" : "https://access.redhat.com/security/cve/CVE-2025-67746" }, { "category" : "self", "summary" : "Canonical URL", "url" : "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_8165.json" } ], "title" : "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update", "tracking" : { "current_release_date" : "2026-04-27T16:49:32+00:00", "generator" : { "date" : "2026-04-27T16:49:32+00:00", "engine" : { "name" : "Red Hat SDEngine", "version" : "4.7.5" } }, "id" : "RHSA-2026:8165", "initial_release_date" : "2026-04-14T17:59:27+00:00", "revision_history" : [ { "date" : "2026-04-14T17:59:27+00:00", "number" : "1", "summary" : "Initial version" }, { "date" : "2026-04-18T20:00:38+00:00", "number" : "2", "summary" : "Last updated version" }, { "date" : "2026-04-27T16:49:32+00:00", "number" : "3", "summary" : "Last generated version" } ], "status" : "final", "version" : "3" } }, "product_tree" : { "branches" : [ { "branches" : [ { "branches" : [ { "category" : "product_name", "name" : "Red Hat Hardened Images", "product" : { "name" : "Red Hat Hardened Images", "product_id" : "Red Hat Hardened Images", "product_identification_helper" : { "cpe" : "cpe:/a:redhat:hummingbird:1" } } } ], "category" : "product_family", "name" : "Red Hat Hardened Images" }, { "branches" : [ { "category" : "product_version", "name" : "composer-main@noarch", "product" : { "name" : "composer-main@noarch", "product_id" : "composer-main@noarch", "product_identification_helper" : { "purl" : "pkg:rpm/redhat/composer@2.9.7-1.hum1?arch=noarch&distro=hummingbird-20251124&repository_id=public-hummingbird-x86_64-rpms" } } } ], "category" : "architecture", "name" : "noarch" }, { "branches" : [ { "category" : "product_version", "name" : "composer-main@src", "product" : { "name" : "composer-main@src", "product_id" : "composer-main@src", "product_identification_helper" : { "purl" : "pkg:rpm/redhat/composer@2.9.7-1.hum1?arch=src&distro=hummingbird-20251124&repository_id=public-hummingbird-source-rpms" } } } ], "category" : "architecture", "name" : "src" } ], "category" : "vendor", "name" : "Red Hat" } ], "relationships" : [ { "category" : "default_component_of", "full_product_name" : { "name" : "composer-main@noarch as a component of Red Hat Hardened Images", "product_id" : "Red Hat Hardened Images:composer-main@noarch" }, "product_reference" : "composer-main@noarch", "relates_to_product_reference" : "Red Hat Hardened Images" }, { "category" : "default_component_of", "full_product_name" : { "name" : "composer-main@src as a component of Red Hat Hardened Images", "product_id" : "Red Hat Hardened Images:composer-main@src" }, "product_reference" : "composer-main@src", "relates_to_product_reference" : "Red Hat Hardened Images" } ] }, "vulnerabilities" : [ { "cve" : "CVE-2025-67746", "cwe" : { "id" : "CWE-74", "name" : "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" }, "discovery_date" : "2025-12-30T17:01:39.753133+00:00", "ids" : [ { "system_name" : "Red Hat Bugzilla ID", "text" : "2426283" } ], "notes" : [ { "category" : "description", "text" : "A flaw was found in Composer, a dependency manager for PHP. A remote attacker could exploit this by injecting ANSI control characters into the terminal output of various Composer commands when Composer downloads from attacker-controlled remote sources. This can lead to mangled output, causing confusion or a Denial of Service (DoS) of the terminal application.", "title" : "Vulnerability description" }, { "category" : "summary", "text" : "composer: Composer: Terminal output manipulation leading to Denial of Service", "title" : "Vulnerability summary" }, { "category" : "other", "text" : "This vulnerability is rated Low as it primarily affects the terminal output of Composer commands. Exploitation requires an attacker to control remote sources from which Composer downloads, allowing the injection of ANSI control characters. This can lead to mangled output or a denial of service of the terminal application, but not the underlying system.", "title" : "Statement" }, { "category" : "general", "text" : "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title" : "CVSS score applicability" } ], "product_status" : { "fixed" : [ "Red Hat Hardened Images:composer-main@noarch", "Red Hat Hardened Images:composer-main@src" ] }, "references" : [ { "category" : "self", "summary" : "Canonical URL", "url" : "https://access.redhat.com/security/cve/CVE-2025-67746" }, { "category" : "external", "summary" : "RHBZ#2426283", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426283" }, { "category" : "external", "summary" : "https://www.cve.org/CVERecord?id=CVE-2025-67746", "url" : "https://www.cve.org/CVERecord?id=CVE-2025-67746" }, { "category" : "external", "summary" : "https://nvd.nist.gov/vuln/detail/CVE-2025-67746", "url" : "https://nvd.nist.gov/vuln/detail/CVE-2025-67746" }, { "category" : "external", "summary" : "https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917", "url" : "https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917" }, { "category" : "external", "summary" : "https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71", "url" : "https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71" }, { "category" : "external", "summary" : "https://github.com/composer/composer/releases/tag/2.2.26", "url" : "https://github.com/composer/composer/releases/tag/2.2.26" }, { "category" : "external", "summary" : "https://github.com/composer/composer/releases/tag/2.9.3", "url" : "https://github.com/composer/composer/releases/tag/2.9.3" }, { "category" : "external", "summary" : "https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g", "url" : "https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g" } ], "release_date" : "2025-12-30T16:11:04.776000+00:00", "remediations" : [ { "category" : "vendor_fix", "date" : "2026-04-14T17:59:27+00:00", "details" : "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/", "product_ids" : [ "Red Hat Hardened Images:composer-main@noarch", "Red Hat Hardened Images:composer-main@src" ], "restart_required" : { "category" : "none" }, "url" : "https://access.redhat.com/errata/RHSA-2026:8165" } ], "scores" : [ { "cvss_v3" : { "attackComplexity" : "LOW", "attackVector" : "NETWORK", "availabilityImpact" : "LOW", "baseScore" : 3.5, "baseSeverity" : "LOW", "confidentialityImpact" : "NONE", "integrityImpact" : "NONE", "privilegesRequired" : "LOW", "scope" : "UNCHANGED", "userInteraction" : "REQUIRED", "vectorString" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "version" : "3.1" }, "products" : [ "Red Hat Hardened Images:composer-main@noarch", "Red Hat Hardened Images:composer-main@src" ] } ], "threats" : [ { "category" : "impact", "details" : "Low" } ], "title" : "composer: Composer: Terminal output manipulation leading to Denial of Service" }, { "cve" : "CVE-2026-40176", "cwe" : { "id" : "CWE-78", "name" : "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" }, "discovery_date" : "2026-04-15T21:00:48.175830+00:00", "ids" : [ { "system_name" : "Red Hat Bugzilla ID", "text" : "2458828" } ], "notes" : [ { "category" : "description", "text" : "A flaw was found in Composer. `Perforce::generateP4Command()` constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping, allowing an attacker to inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository.", "title" : "Vulnerability description" }, { "category" : "summary", "text" : "composer: command injection via malicious Perforce repository definition", "title" : "Vulnerability summary" }, { "category" : "other", "text" : "To exploit this vulnerability, a user needs to run Composer commands on untrusted projects with attacker-supplied composer.json files. VCS repositories are only loaded from the root composer.json or the composer config directory, so this issue cannot be exploited through composer.json files of packages installed as dependencies. This issue can cause arbitrary command execution but it is limited to the context of the user running Composer. Due to these reasons, this flaw has been rated with an important severity.", "title" : "Statement" }, { "category" : "general", "text" : "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title" : "CVSS score applicability" } ], "product_status" : { "fixed" : [ "Red Hat Hardened Images:composer-main@noarch", "Red Hat Hardened Images:composer-main@src" ] }, "references" : [ { "category" : "self", "summary" : "Canonical URL", "url" : "https://access.redhat.com/security/cve/CVE-2026-40176" }, { "category" : "external", "summary" : "RHBZ#2458828", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2458828" }, { "category" : "external", "summary" : "https://www.cve.org/CVERecord?id=CVE-2026-40176", "url" : "https://www.cve.org/CVERecord?id=CVE-2026-40176" }, { "category" : "external", "summary" : "https://nvd.nist.gov/vuln/detail/CVE-2026-40176", "url" : "https://nvd.nist.gov/vuln/detail/CVE-2026-40176" }, { "category" : "external", "summary" : "https://github.com/composer/composer/releases/tag/2.9.6", "url" : "https://github.com/composer/composer/releases/tag/2.9.6" }, { "category" : "external", "summary" : "https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p", "url" : "https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p" } ], "release_date" : "2026-04-15T20:47:39.839000+00:00", "remediations" : [ { "category" : "vendor_fix", "date" : "2026-04-14T17:59:27+00:00", "details" : "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/", "product_ids" : [ "Red Hat Hardened Images:composer-main@noarch", "Red Hat Hardened Images:composer-main@src" ], "restart_required" : { "category" : "none" }, "url" : "https://access.redhat.com/errata/RHSA-2026:8165" }, { "category" : "workaround", "details" : "To mitigate this vulnerability, only run Composer commands on projects from trusted sources. Also, inspect composer.json files before running Composer commands on them, specifically checking that Perforce-related fields contain valid values.", "product_ids" : [ "Red Hat Hardened Images:composer-main@noarch", "Red Hat Hardened Images:composer-main@src" ] } ], "scores" : [ { "cvss_v3" : { "attackComplexity" : "LOW", "attackVector" : "LOCAL", "availabilityImpact" : "HIGH", "baseScore" : 7.8, "baseSeverity" : "HIGH", "confidentialityImpact" : "HIGH", "integrityImpact" : "HIGH", "privilegesRequired" : "NONE", "scope" : "UNCHANGED", "userInteraction" : "REQUIRED", "vectorString" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version" : "3.1" }, "products" : [ "Red Hat Hardened Images:composer-main@noarch", "Red Hat Hardened Images:composer-main@src" ] } ], "threats" : [ { "category" : "impact", "details" : "Important" } ], "title" : "composer: command injection via malicious Perforce repository definition" }, { "cve" : "CVE-2026-40261", "cwe" : { "id" : "CWE-78", "name" : "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" }, "discovery_date" : "2026-04-15T22:00:54.256960+00:00", "ids" : [ { "system_name" : "Red Hat Bugzilla ID", "text" : "2458841" } ], "notes" : [ { "category" : "description", "text" : "A flaw was found in Composer. `Perforce::syncCodeBase()` appends the `$sourceReference` parameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters.", "title" : "Vulnerability description" }, { "category" : "summary", "text" : "composer: command injection via malicious Perforce source reference/url", "title" : "Vulnerability summary" }, { "category" : "other", "text" : "This issue can be exploited via any package served by a compromised or malicious Composer repository when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. Exploitation results in arbitrary command execution. Due to these reasons, this flaw has been rated with an important severity.", "title" : "Statement" }, { "category" : "general", "text" : "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title" : "CVSS score applicability" } ], "product_status" : { "fixed" : [ "Red Hat Hardened Images:composer-main@noarch", "Red Hat Hardened Images:composer-main@src" ] }, "references" : [ { "category" : "self", "summary" : "Canonical URL", "url" : "https://access.redhat.com/security/cve/CVE-2026-40261" }, { "category" : "external", "summary" : "RHBZ#2458841", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2458841" }, { "category" : "external", "summary" : "https://www.cve.org/CVERecord?id=CVE-2026-40261", "url" : "https://www.cve.org/CVERecord?id=CVE-2026-40261" }, { "category" : "external", "summary" : "https://nvd.nist.gov/vuln/detail/CVE-2026-40261", "url" : "https://nvd.nist.gov/vuln/detail/CVE-2026-40261" }, { "category" : "external", "summary" : "https://github.com/composer/composer/releases/tag/2.9.6", "url" : "https://github.com/composer/composer/releases/tag/2.9.6" }, { "category" : "external", "summary" : "https://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q", "url" : "https://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q" } ], "release_date" : "2026-04-15T20:56:32.182000+00:00", "remediations" : [ { "category" : "vendor_fix", "date" : "2026-04-14T17:59:27+00:00", "details" : "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/", "product_ids" : [ "Red Hat Hardened Images:composer-main@noarch", "Red Hat Hardened Images:composer-main@src" ], "restart_required" : { "category" : "none" }, "url" : "https://access.redhat.com/errata/RHSA-2026:8165" }, { "category" : "workaround", "details" : "To mitigate this issue, only run Composer commands on projects and dependencies from trusted sources. Also, use the '--prefer-dist' or the 'preferred-install: dist' configuration setting to prevent Composer from installing dependencies from source.", "product_ids" : [ "Red Hat Hardened Images:composer-main@noarch", "Red Hat Hardened Images:composer-main@src" ] } ], "scores" : [ { "cvss_v3" : { "attackComplexity" : "LOW", "attackVector" : "NETWORK", "availabilityImpact" : "HIGH", "baseScore" : 8.8, "baseSeverity" : "HIGH", "confidentialityImpact" : "HIGH", "integrityImpact" : "HIGH", "privilegesRequired" : "NONE", "scope" : "UNCHANGED", "userInteraction" : "REQUIRED", "vectorString" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version" : "3.1" }, "products" : [ "Red Hat Hardened Images:composer-main@noarch", "Red Hat Hardened Images:composer-main@src" ] } ], "threats" : [ { "category" : "impact", "details" : "Important" } ], "title" : "composer: command injection via malicious Perforce source reference/url" } ] }