Arbitrary Shell Command Execution Affecting squizlabs/php_codesniffer package, versions >=3.0.0, <3.0.1


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Shell Command Execution vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PHP-SQUIZLABSPHPCODESNIFFER-72106
  • published21 Mar 2018
  • disclosed14 Jun 2017
  • creditUnknown

Introduced: 14 Jun 2017

CVE NOT AVAILABLE CWE-78  (opens in a new tab)

How to fix?

Upgrade squizlabs/php_codesniffer to version 3.0.1 or higher.

Overview

squizlabs/php_codesniffer tokenizes PHP, JavaScript and CSS files and detects violations of a defined set of coding standards.

Affected versions of this package are vulnerable to Arbitrary Shell Command Execution. A properly crafted filename would it when using the --filter=gitmodified command line option.

References

CVSS Scores

version 3.1