Home Security Researchers Report Provide Chain Vulnerability in Packagist PHP Repository

Researchers Report Provide Chain Vulnerability in Packagist PHP Repository

by crpt os


Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks.

“This vulnerability allows gaining control of Packagist,” SonarSource researcher Thomas Chauchefoin said in a report shared with The Hacker News. Packagist is used by the PHP package manager Composer to determine and download software dependencies that are included by developers in their projects.

The disclosure comes as planting malware in open source repositories is turning into an attractive conduit for mounting software supply chain attacks.

CyberSecurity

Tracked as CVE-2022-24828 (CVSS score: 8.8), the issue has been described as a case of command injection and is linked to another similar Composer bug (CVE-2021-29472) that came to light in April 2021, suggesting an inadequate patch.

“An attacker controlling a Git or Mercurial repository explicitly listed by URL in a project’s composer.json can use specially crafted branch names to execute commands on the machine running composer update,” Packagist disclosed in an April 2022 advisory.

A successful exploitation of the flaw meant that requests to update a package could have been hijacked to distribute malicious dependencies by executing arbitrary commands on the backend server running the official instance of Packagist.

“Compromising [the backend services] would allow attackers to force users to download backdoored software dependencies the next time they do a fresh install or an update of a Composer package,” Chauchefoin explained.

CyberSecurity

That said, there is no evidence the vulnerability has been exploited to date. Fixes have been deployed in Composer versions 1.10.26, 2.2.12, and 2.3.5 after SonarSource reported the flaw on April 7, 2022.

Open source code has increasingly become a lucrative target of choice for threat actors owing to the ease with which they can be weaponized against the software supply chain.

Earlier this April, SonarSource also detailed a 15-year-old security flaw in the PEAR PHP repository that could permit an attacker to obtain unauthorized access and publish rogue packages and execute arbitrary code.

“While supply chains can take different forms, one of them is significantly more impactful: By gaining access to the servers distributing these third-party software components, threat actors can alter them to obtain a foothold in the systems of their users,” Chauchefoin said.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex