What is CVE-2020-15145?

CVE-2020-15145 is a vulnerability in Composer-Setup for Windows before version 6.0.0.

How does CVE-2020-15145 affect the developer's computer?

CVE-2020-15145 allows a local attacker to exploit certain scenarios on a shared developer's computer running Composer-Setup for Windows before version 6.0.0.

What can a local regular user do with CVE-2020-15145?

A local regular user can modify the existing `C:\ProgramData\ComposerSetup\bin\composer.bat` file to gain elevated command execution on the affected system.

How can I fix CVE-2020-15145?

To fix CVE-2020-15145, users should update to version 6.0.0 or later of Composer-Setup for Windows.

Is CVE-2020-15145 a high severity vulnerability?

Yes, CVE-2020-15145 is considered a high severity vulnerability with a severity score of 8.2.

Vulnerability/
CVE-2020-15145

high

8.2

CWE

276

14/8/2020

4/8/2024

CVE-2020-15145: Local privilege elevation in Composer-Setup for Windows

First published: Fri Aug 14 2020(Updated: )

In Composer-Setup for Windows before version 6.0.0, if the developer's computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\ProgramData\ComposerSetup\bin\composer.bat` in order to get elevated command execution when composer is run by an administrator. 2. A local regular user may create a specially crafted dll in the `C:\ProgramData\ComposerSetup\bin` folder in order to get Local System privileges. See: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. If the directory of the php.exe selected by the user is not in the system path, it is added without checking that it is admin secured, as per Microsoft guidelines. See: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Getcomposer Composer-setup	<6.0.0

Remedy

https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2020-15145?
CVE-2020-15145 is a vulnerability in Composer-Setup for Windows before version 6.0.0.
How does CVE-2020-15145 affect the developer's computer?
CVE-2020-15145 allows a local attacker to exploit certain scenarios on a shared developer's computer running Composer-Setup for Windows before version 6.0.0.
What can a local regular user do with CVE-2020-15145?
A local regular user can modify the existing `C:\ProgramData\ComposerSetup\bin\composer.bat` file to gain elevated command execution on the affected system.
How can I fix CVE-2020-15145?
To fix CVE-2020-15145, users should update to version 6.0.0 or later of Composer-Setup for Windows.
Is CVE-2020-15145 a high severity vulnerability?
Yes, CVE-2020-15145 is considered a high severity vulnerability with a severity score of 8.2.

collector/nvd-index
agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/title
agent/remedy
agent/weakness
agent/severity
agent/last-modified-date
agent/author
agent/tags
agent/description
agent/first-publish-date
agent/event
vendor/getcomposer
canonical/getcomposer composer-setup

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.