{"id":47725,"date":"2026-04-17T23:56:46","date_gmt":"2026-04-17T16:56:46","guid":{"rendered":"https:\/\/antoanthongtinhaiphong.gov.vn\/?p=47725"},"modified":"2026-04-23T23:57:32","modified_gmt":"2026-04-23T16:57:32","slug":"lo-hong-trong-composer-nguy-co-thuc-thi-lenh-tu-xa-qua-file-cau-hinh","status":"publish","type":"post","link":"https:\/\/antoanthongtinhaiphong.gov.vn\/lo-hong-trong-composer-nguy-co-thuc-thi-lenh-tu-xa-qua-file-cau-hinh\/","title":{"rendered":"L\u1ed7 h\u1ed5ng trong Composer: Nguy c\u01a1 th\u1ef1c thi l\u1ec7nh t\u1eeb xa qua file c\u1ea5u h\u00ecnh"},"content":{"rendered":"
Hai l\u1ed7 h\u1ed5ng v\u1eeba \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1 trong Composer (c\u00f4ng c\u1ee5 qu\u1ea3n l\u00fd th\u01b0 vi\u1ec7n ph\u1ed5 bi\u1ebfn trong h\u1ec7 sinh th\u00e1i PHP) \u0111ang l\u00e0m d\u1ea5y l\u00ean lo ng\u1ea1i v\u1ec1 nguy c\u01a1 b\u1ecb t\u1ea5n c\u00f4ng chu\u1ed7i cung \u1ee9ng ph\u1ea7n m\u1ec1m. N\u1ebfu b\u1ecb khai th\u00e1c th\u00e0nh c\u00f4ng, c\u00e1c l\u1ed7 h\u1ed5ng n\u00e0y c\u00f3 th\u1ec3 cho ph\u00e9p tin t\u1eb7c th\u1ef1c thi l\u1ec7nh t\u00f9y \u00fd tr\u00ean h\u1ec7 th\u1ed1ng c\u1ee7a nh\u00e0 ph\u00e1t tri\u1ec3n ho\u1eb7c m\u00e1y ch\u1ee7, ch\u1ec9 th\u00f4ng qua vi\u1ec7c thao t\u00fang file c\u1ea5u h\u00ecnh d\u1ef1 \u00e1n.<\/b>
\n\u200b<\/div>\n
\"f87cff5f-29f0-4206-be91-299705ebfb41.png\"<\/a>\u200b<\/div>\n
\nTheo th\u00f4ng tin t\u1eeb nh\u00f3m ph\u00e1t tri\u1ec3n Composer, c\u00e1c l\u1ed7 h\u1ed5ng \u0111\u1ec1u li\u00ean quan \u0111\u1ebfn th\u00e0nh ph\u1ea7n x\u1eed l\u00fd h\u1ec7 th\u1ed1ng qu\u1ea3n l\u00fd m\u00e3 ngu\u1ed3n Perforce. \u0110\u00e2y kh\u00f4ng ph\u1ea3i l\u00e0 l\u1ed7i ph\u1ed5 bi\u1ebfn m\u00e0 ng\u01b0\u1eddi d\u00f9ng th\u01b0\u1eddng ch\u00fa \u00fd, nh\u01b0ng l\u1ea1i tr\u1edf th\u00e0nh \u0111i\u1ec3m y\u1ebfu nghi\u00eam tr\u1ecdng do c\u00e1ch Composer x\u1eed l\u00fd d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o trong file “composer[.]json”.<\/p>\n

C\u1ee5 th\u1ec3, hai l\u1ed7 h\u1ed5ng \u0111\u00e3 \u0111\u01b0\u1ee3c \u0111\u1ecbnh danh g\u1ed3m:\u200b<\/p><\/div>\n

    \n
  • \n
    CVE-2026-40176 (CVSS 7,8): L\u1ed7i ki\u1ec3m tra \u0111\u1ea7u v\u00e0o kh\u00f4ng \u0111\u1ea7y \u0111\u1ee7, cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng ch\u00e8n l\u1ec7nh \u0111\u1ed9c h\u1ea1i th\u00f4ng qua c\u1ea5u h\u00ecnh repository Perforce trong file composer.json.\u200b<\/div>\n<\/li>\n
  • \n
    CVE-2026-40261 (CVSS 8,8): L\u1ed7i x\u1eed l\u00fd k\u00fd t\u1ef1 \u0111\u1eb7c bi\u1ec7t kh\u00f4ng an to\u00e0n, cho ph\u00e9p ch\u00e8n l\u1ec7nh th\u00f4ng qua c\u00e1c tham chi\u1ebfu ngu\u1ed3n (source reference) \u0111\u01b0\u1ee3c t\u1ea1o th\u1ee7 c\u00f4ng.\u200b<\/div>\n<\/li>\n<\/ul>\n
    \u0110i\u1ec3m \u0111\u00e1ng ch\u00fa \u00fd l\u00e0 c\u1ea3 hai l\u1ed7 h\u1ed5ng n\u00e0y \u0111\u1ec1u c\u00f3 th\u1ec3 b\u1ecb khai th\u00e1c ngay c\u1ea3 khi h\u1ec7 th\u1ed1ng kh\u00f4ng c\u00e0i \u0111\u1eb7t Perforce. \u0110i\u1ec1u n\u00e0y khi\u1ebfn ph\u1ea1m vi \u1ea3nh h\u01b0\u1edfng r\u1ed9ng h\u01a1n d\u1ef1 ki\u1ebfn, b\u1edfi nhi\u1ec1u m\u00f4i tr\u01b0\u1eddng ph\u00e1t tri\u1ec3n c\u00f3 th\u1ec3 v\u00f4 t\u00ecnh tr\u1edf th\u00e0nh m\u1ee5c ti\u00eau m\u00e0 kh\u00f4ng nh\u1eadn ra.<\/p>\n

    V\u1ec1 c\u01a1 ch\u1ebf t\u1ea5n c\u00f4ng, k\u1ebb x\u1ea5u s\u1ebd t\u1ea1o m\u1ed9t d\u1ef1 \u00e1n ho\u1eb7c g\u00f3i th\u01b0 vi\u1ec7n ch\u1ee9a file composer.json \u0111\u00e3 \u0111\u01b0\u1ee3c c\u00e0i c\u1eafm s\u1eb5n m\u00e3 \u0111\u1ed9c. Khi ng\u01b0\u1eddi d\u00f9ng t\u1ea3i v\u1ec1 v\u00e0 ch\u1ea1y l\u1ec7nh Composer (v\u00ed d\u1ee5 composer install), c\u00e1c tham s\u1ed1 \u0111\u1ed9c h\u1ea1i s\u1ebd \u0111\u01b0\u1ee3c x\u1eed l\u00fd nh\u01b0 m\u1ed9t ph\u1ea7n c\u1ee7a c\u1ea5u h\u00ecnh h\u1ee3p l\u1ec7. Do thi\u1ebfu c\u01a1 ch\u1ebf ki\u1ec3m tra ch\u1eb7t ch\u1ebd, Composer s\u1ebd th\u1ef1c thi tr\u1ef1c ti\u1ebfp c\u00e1c l\u1ec7nh n\u00e0y trong m\u00f4i tr\u01b0\u1eddng h\u1ec7 th\u1ed1ng.<\/p>\n

    N\u00f3i c\u00e1ch kh\u00e1c, ch\u1ec9 c\u1ea7n m\u1ed9t thao t\u00e1c c\u00e0i \u0111\u1eb7t th\u01b0 vi\u1ec7n t\u1eeb ngu\u1ed3n kh\u00f4ng tin c\u1eady, to\u00e0n b\u1ed9 h\u1ec7 th\u1ed1ng c\u00f3 th\u1ec3 b\u1ecb chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n. \u0110\u00e2y ch\u00ednh l\u00e0 k\u1ecbch b\u1ea3n t\u1ea5n c\u00f4ng chu\u1ed7i cung \u1ee9ng \u0111i\u1ec3n h\u00ecnh, n\u01a1i m\u00e3 \u0111\u1ed9c \u0111\u01b0\u1ee3c \u201cng\u1ee5y trang\u201d b\u00ean trong c\u00e1c th\u00e0nh ph\u1ea7n h\u1ee3p ph\u00e1p.\u200b<\/p><\/div>\n

    Ph\u1ea1m vi \u1ea3nh h\u01b0\u1edfng v\u00e0 m\u1ee9c \u0111\u1ed9 nguy hi\u1ec3m\u200b<\/div>\n
    C\u00e1c l\u1ed7 h\u1ed5ng n\u00e0y \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn nhi\u1ec1u phi\u00ean b\u1ea3n Composer \u0111ang \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng r\u1ed9ng r\u00e3i, bao g\u1ed3m:\u200b<\/div>\n
      \n
    • \n
      T\u1eeb phi\u00ean b\u1ea3n 2.3 \u0111\u1ebfn tr\u01b0\u1edbc 2.9.6\u200b<\/div>\n<\/li>\n
    • \n
      T\u1eeb phi\u00ean b\u1ea3n 2.0 \u0111\u1ebfn tr\u01b0\u1edbc 2.2.27\u200b<\/div>\n<\/li>\n<\/ul>\n
      M\u1ee9c \u0111\u1ed9 nguy hi\u1ec3m \u0111\u01b0\u1ee3c \u0111\u00e1nh gi\u00e1 cao do kh\u1ea3 n\u0103ng th\u1ef1c thi l\u1ec7nh t\u00f9y \u00fd m\u00e0 kh\u00f4ng c\u1ea7n quy\u1ec1n \u0111\u1eb7c bi\u1ec7t, mi\u1ec5n l\u00e0 n\u1ea1n nh\u00e2n ch\u1ea1y Composer tr\u00ean d\u1ef1 \u00e1n b\u1ecb c\u00e0i c\u1eafm. Trong m\u00f4i tr\u01b0\u1eddng doanh nghi\u1ec7p, \u0111i\u1ec1u n\u00e0y c\u00f3 th\u1ec3 d\u1eabn \u0111\u1ebfn vi\u1ec7c l\u1ed9 m\u00e3 ngu\u1ed3n, \u0111\u00e1nh c\u1eafp th\u00f4ng tin nh\u1ea1y c\u1ea3m ho\u1eb7c c\u00e0i \u0111\u1eb7t backdoor.<\/p>\n

      Tuy nhi\u00ean, theo ki\u1ec3m tra ban \u0111\u1ea7u tr\u00ean Packagist, ch\u01b0a c\u00f3 b\u1eb1ng ch\u1ee9ng cho th\u1ea5y c\u00e1c l\u1ed7 h\u1ed5ng n\u00e0y \u0111\u00e3 b\u1ecb khai th\u00e1c r\u1ed9ng r\u00e3i trong th\u1ef1c t\u1ebf. D\u00f9 v\u1eady, gi\u1edbi chuy\u00ean gia c\u1ea3nh b\u00e1o r\u1eb1ng nguy c\u01a1 v\u1eabn r\u1ea5t l\u1edbn n\u1ebfu ng\u01b0\u1eddi d\u00f9ng ch\u1ee7 quan.\u200b<\/p><\/div>\n

      Bi\u1ec7n ph\u00e1p ph\u00f2ng tr\u00e1nh v\u00e0 khuy\u1ebfn ngh\u1ecb\u200b<\/div>\n
      Hi\u1ec7n t\u1ea1i, c\u00e1c b\u1ea3n v\u00e1 \u0111\u00e3 \u0111\u01b0\u1ee3c ph\u00e1t h\u00e0nh v\u00e0 ng\u01b0\u1eddi d\u00f9ng \u0111\u01b0\u1ee3c khuy\u1ebfn ngh\u1ecb c\u1eadp nh\u1eadt ngay l\u1eadp t\u1ee9c l\u00ean c\u00e1c phi\u00ean b\u1ea3n an to\u00e0n:\u200b<\/div>\n
        \n
      • \n
        Phi\u00ean b\u1ea3n 2.9.6\u200b<\/div>\n<\/li>\n
      • \n
        Phi\u00ean b\u1ea3n 2.2.27\u200b<\/div>\n<\/li>\n<\/ul>\n
        Trong tr\u01b0\u1eddng h\u1ee3p ch\u01b0a th\u1ec3 c\u1eadp nh\u1eadt, ng\u01b0\u1eddi d\u00f9ng c\u1ea7n \u0111\u1eb7c bi\u1ec7t th\u1eadn tr\u1ecdng khi l\u00e0m vi\u1ec7c v\u1edbi c\u00e1c d\u1ef1 \u00e1n t\u1eeb ngu\u1ed3n b\u00ean ngo\u00e0i. Vi\u1ec7c ki\u1ec3m tra k\u1ef9 n\u1ed9i dung file “composer[.]json”, \u0111\u1eb7c bi\u1ec7t l\u00e0 c\u00e1c c\u1ea5u h\u00ecnh li\u00ean quan \u0111\u1ebfn repository v\u00e0 Perforce, l\u00e0 b\u01b0\u1edbc quan tr\u1ecdng \u0111\u1ec3 ph\u00e1t hi\u1ec7n d\u1ea5u hi\u1ec7u b\u1ea5t th\u01b0\u1eddng.<\/p>\n

        Ngo\u00e0i ra, c\u00e1c chuy\u00ean gia khuy\u1ebfn ngh\u1ecb:\u200b<\/p><\/div>\n

          \n
        • \n
          Ch\u1ec9 s\u1eed d\u1ee5ng th\u01b0 vi\u1ec7n v\u00e0 repository t\u1eeb ngu\u1ed3n \u0111\u00e1ng tin c\u1eady\u200b<\/div>\n<\/li>\n
        • \n
          Tr\u00e1nh ch\u1ea1y Composer tr\u00ean c\u00e1c d\u1ef1 \u00e1n kh\u00f4ng r\u00f5 ngu\u1ed3n g\u1ed1c\u200b<\/div>\n<\/li>\n
        • \n
          H\u1ea1n ch\u1ebf s\u1eed d\u1ee5ng c\u1ea5u h\u00ecnh c\u00e0i \u0111\u1eb7t d\u1ea1ng \u201cdist\u201d n\u1ebfu kh\u00f4ng c\u1ea7n thi\u1ebft\u200b<\/div>\n<\/li>\n
        • \n
          T\u0103ng c\u01b0\u1eddng ki\u1ec3m so\u00e1t quy tr\u00ecnh ki\u1ec3m duy\u1ec7t m\u00e3 ngu\u1ed3n trong n\u1ed9i b\u1ed9\u200b<\/div>\n<\/li>\n<\/ul>\n
          Vi\u1ec7c t\u1eaft t\u00ednh n\u0103ng li\u00ean quan \u0111\u1ebfn metadata Perforce tr\u00ean Packagist c\u0169ng \u0111\u00e3 \u0111\u01b0\u1ee3c tri\u1ec3n khai nh\u01b0 m\u1ed9t bi\u1ec7n ph\u00e1p ph\u00f2ng ng\u1eeba t\u1ea1m th\u1eddi.\u200b<\/div>\n
          Theo The Hacker News<\/i><\/b><\/div>\n","protected":false},"excerpt":{"rendered":"

          Hai l\u1ed7 h\u1ed5ng v\u1eeba \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1 trong Composer (c\u00f4ng c\u1ee5 qu\u1ea3n l\u00fd th\u01b0 vi\u1ec7n ph\u1ed5 bi\u1ebfn trong h\u1ec7 sinh th\u00e1i PHP) \u0111ang l\u00e0m d\u1ea5y l\u00ean lo ng\u1ea1i v\u1ec1 nguy c\u01a1 b\u1ecb t\u1ea5n c\u00f4ng chu\u1ed7i cung \u1ee9ng ph\u1ea7n m\u1ec1m. N\u1ebfu b\u1ecb khai th\u00e1c th\u00e0nh c\u00f4ng, c\u00e1c l\u1ed7 h\u1ed5ng n\u00e0y c\u00f3 th\u1ec3 cho ph\u00e9p tin t\u1eb7c […]<\/p>\n","protected":false},"author":20,"featured_media":47726,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[3,24,35],"tags":[],"class_list":["post-47725","post","type-post","status-publish","format-standard","has-post-thumbnail","category-canh-bao-khuyen-nghi","category-tin-noi-bat","category-tin-tuc-su-kien"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47725","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/comments?post=47725"}],"version-history":[{"count":1,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47725\/revisions"}],"predecessor-version":[{"id":47727,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47725\/revisions\/47727"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media\/47726"}],"wp:attachment":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media?parent=47725"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/categories?post=47725"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/tags?post=47725"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}