Description

A installed.json file was discovered. Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage (install/update) them for you. After installing the dependencies, Composer stores the list of them in a special file for internal purposes.

As the file is publicly accessible, it leads to disclosure of information about components used by the web application.

Remediation

Restrict access to vendors directory

References

Composer Basic usage

Related Vulnerabilities

Snoop Servlet information disclosure

WordPress Plugin Timetable and Event Schedule by MotoPress Information Disclosure (2.3.19)

Joomla! Core 1.5.x Information Disclosure (1.5.0 - 1.5.23)

WordPress Plugin Email newsletter 'option' Parameter Information Disclosure (8.0)

Piwigo Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-10679)

Severity

Low

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Tags

Information Disclosure