Home Security Apache Cordova App Harness Targeted in Dependency Confusion Attack

Apache Cordova App Harness Targeted in Dependency Confusion Attack

by crpt os


Apr 23, 2024NewsroomSupply Chain Attack / Application Security

Researchers have identified a dependency confusion vulnerability impacting an archived Apache project called Cordova App Harness.

Dependency confusion attacks take place owing to the fact that package managers check the public repositories before private registries, thus allowing a threat actor to publish a malicious package with the same name to a public package repository.

This causes the package manager to inadvertently download the fraudulent package from the public repository instead of the intended private repository. If successful, it can have serious consequences, such as installing all downstream customers that install the package.

Cybersecurity

A May 2023 analysis of npm and PyPI packages stored in cloud environments by cloud security company Orca revealed that nearly 49% of organizations are vulnerable to a dependency confusion attack.

While npm and other package managers have since introduced fixes to prioritize the private versions, application security firm Legit Security said it found the Cordova App Harness project to reference an internal dependency named cordova-harness-client without a relative file path.

The open-source initiative was discontinued by the Apache Software Foundation (ASF) as of April 18, 2019.

As Legit Security demonstrated, this left the door wide open for a supply chain attack by uploading a malicious version under the same name with a higher version number, thus causing npm to retrieve the bogus version from the public registry.

Dependency Confusion Attack

With the bogus package attracting over 100 downloads after being uploaded to npm, it indicates that the archived project is still being put to use, likely posing severe risks to users.

In a hypothetical attack scenario, an attacker could hijack the library to serve malicious code that could be executed on the target host upon package installation.

Cybersecurity

The Apache security team has since addressed the problem by taking ownership of the cordova-harness-client package. It’s worth noting that organizations are advised to create public packages as placeholders to prevent dependency confusion attacks.

“This discovery highlights the need to consider third-party projects and dependencies as potential weak links in the software development factory, especially archived open-source projects that may not receive regular updates or security patches,” security researcher Ofek Haviv said.

“Although it may seem tempting to leave them as is, these projects tend to have vulnerabilities that are not getting attention and not likely to be fixed.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex