The maintainers of Composer, a deal manager for PHP, have shipped an update to deal with a critical vulnerability that could have permitted an attacker to execute arbitrary instructions and “backdoor each and every PHP package deal,” ensuing in a source-chain attack.
Tracked as CVE-2021-29472, the security issue was found and described on April 22 by scientists from SonarSource, following which a hotfix was deployed a lot less than 12 several hours afterwards.
“Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders,” Composer reported its launch notes for versions 2..13 and 1.10.22 launched on Wednesday. “To the most effective of our awareness the vulnerability has not been exploited.”
Composer is billed as a instrument for dependency management in PHP, enabling simple set up of deals applicable to a task. It also lets users to set up PHP purposes that are out there on Packagist, a repository that aggregates all community PHP packages installable with Composer.
In accordance to SonarSource, the vulnerability stems from the way package resource obtain URLs are taken care of, possibly major to a circumstance where an adversary could induce distant command injection. As proof of this actions, the researchers exploited the argument injection flaw to craft a destructive Mercurial repository URL that normally takes benefit of its “alias” alternative to execute a shell command of the attacker’s choice.
“A vulnerability in such a central component, serving more than 100 million package deal metadata requests for each thirty day period, has a enormous effects as this access could have been employed to steal maintainers’ credentials or to redirect offer downloads to 3rd-party servers delivering backdoored dependencies,” SonarSource mentioned.
The Geneva-based code security business explained one particular of the bugs was released in November 2011, suggesting that the susceptible code lurked suitable from the time progress on Composer to yrs ago. The first “alpha” model of Composer was released on July 3, 2013.
“The affect to Composer users right is minimal as the composer.json file is commonly below their personal management and source down load URLs can only be provided by 3rd party Composer repositories they explicitly have faith in to down load and execute supply code from, e.g. Composer plugins,” Jordi Boggiano, 1 of the primary developers powering Composer, stated.
Located this write-up appealing? Observe THN on Facebook, Twitter and LinkedIn to read more distinctive information we publish.
Some elements of this short article are sourced from: