CVE-2015-8371

Name of the Vulnerable Software and Affected Versions Composer versions through 1.0.0-alpha11

Description The issue allows cache poisoning from other projects built on the same host, resulting in attacker-controlled code entering a server-side build process. This occurs because of the way that dist packages are cached, with the cache key derived from the package name, the dist type, and certain other data from the package repository, such as a commit hash that can be found by an attacker.

Recommendations For versions through 1.0.0-alpha11, update to version 1.0.0 or later to resolve the issue.