• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
multiple security flaws discovered in popular software package managers

Multiple Security Flaws Discovered in Popular Software Package Managers

You are here: Home / General Cyber Security News / Multiple Security Flaws Discovered in Popular Software Package Managers
March 11, 2022

Several security vulnerabilities have been disclosed in well-known package deal supervisors that, if most likely exploited, could be abused to operate arbitrary code and access sensitive facts, like supply code and accessibility tokens, from compromised machines.

It really is, having said that, well worth noting that the flaws demand the targeted builders to take care of a malicious bundle in conjunction with 1 of the influenced package deal managers.

“This usually means that an attack simply cannot be introduced instantly from a developer equipment from distant and calls for that the developer is tricked into loading malformed files,” SonarSource researcher Paul Gerste reported. “But can you normally know and belief the entrepreneurs of all packages that you use from the internet or corporation-interior repositories?”

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


Automatic GitHub Backups

Package deal professionals refer to systems or a set of tools that are utilized to automate installing, upgrading, configuring third-party dependencies demanded for developing purposes.

While there are inherent security hazards with rogue libraries building their way to offer repositories – necessitating that the dependencies are correctly scrutinized to shield in opposition to typosquatting and dependency confusion attacks – the “act of controlling dependencies is commonly not observed as a possibly dangerous operation.”

But the freshly identified issues in different bundle managers highlight that they could be weaponized by attackers to trick victims into executing malicious code. The flaws have been identified in the pursuing package deal administrators –

  • Composer 1.x < 1.10.23 and 2.x < 2.1.9
  • Bundler < 2.2.33
  • Bower < 1.8.13
  • Poetry < 1.1.9
  • Yarn < 1.22.13
  • pnpm < 6.15.1
  • Pip (no fix), and
  • Pipenv (no fix)

Chief among the weaknesses is a command injection flaw in Composer’s browse command that could be abused to achieve arbitrary code execution by inserting a URL to an already published malicious package.

Prevent Data Breaches

Should the package leverage typosquatting or dependency confusion techniques, it could potentially result in a scenario where running the browse command for the library could lead to the retrieval of a next-stage payload that could then be utilized to launch further attacks.

Further argument injection and untrusted research route vulnerabilities discovered in Bundler, Poetry, Yarn, Composer, Pip, and Pipenv intended that a terrible actor could acquire code execution by implies of a malware-laced git executable or an attacker-managed file these kinds of as a Gemfile that is utilized to specify the dependencies for Ruby systems.

Next liable disclosure on September 9, 2021, fixes have been produced to address the issues in Composer, Bundler, Bower, Poetry, Yarn, and Pnpm. But Composer, Pip, and Pipenv, all a few of which are afflicted by the untrusted look for route flaw, have opted not to tackle the bug.

“Developers are an desirable goal for cybercriminals simply because they have entry to the core intellectual residence belongings of a enterprise: source code,” Gerste claimed. “Compromising them will allow attackers to carry out espionage or to embed malicious code into a firm’s solutions. This could even be made use of to pull off source chain attacks.”

Identified this posting exciting? Abide by THN on Facebook, Twitter  and LinkedIn to read through more distinctive content material we publish.


Some pieces of this article are sourced from:
thehackernews.com

Previous Post: «global vpn market set to skyrocket in 2022 Global VPN market set to skyrocket in 2022
Next Post: Ukrainian ethical hackers targeted by Russian malware attacks ukrainian ethical hackers targeted by russian malware attacks»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • WhatsApp Unveils Proxy Support to Tackle Internet Censorship
  • Hackers Using CAPTCHA Bypass Tactics in Freejacking Campaign on GitHub
  • Blind Eagle Hacking Group Targets South America With New Tools
  • US Family Planning Non-Profit MFHS Confirms Ransomware Attack
  • Microsoft Reveals Tactics Used by 4 Ransomware Families Targeting macOS
  • Dridex Malware Now Attacking macOS Systems with Novel Infection Method
  • Cyber attacks on UK organisations surged 77% in 2022, new research finds
  • WhatsApp to combat internet blackouts with proxy server support
  • The IT Pro Podcast: Going passwordless
  • Podcast transcript: Going passwordless

Copyright © TheCyberSecurity.News, All Rights Reserved.