Scientists have disclosed details about a now-patched higher-severity security flaw in Packagist, a PHP program bundle repository, that could have been exploited to mount software package provide chain attacks.
“This vulnerability makes it possible for getting management of Packagist,” SonarSource researcher Thomas Chauchefoin stated in a report shared with The Hacker Information. Packagist is applied by the PHP offer manager Composer to ascertain and down load software dependencies that are involved by developers in their jobs.
The disclosure will come as planting malware in open up source repositories is turning into an interesting conduit for mounting software package provide chain attacks.
Tracked as CVE-2022-24828 (CVSS score: 8.8), the issue has been described as a scenario of command injection and is linked to yet another comparable Composer bug (CVE-2021-29472) that arrived to mild in April 2021, suggesting an insufficient patch.
“An attacker managing a Git or Mercurial repository explicitly mentioned by URL in a project’s composer.json can use specifically crafted department names to execute instructions on the machine operating composer update,” Packagist disclosed in an April 2022 advisory.
A profitable exploitation of the flaw intended that requests to update a package could have been hijacked to distribute malicious dependencies by executing arbitrary commands on the backend server operating the official instance of Packagist.
“Compromising [the backend services] would permit attackers to drive customers to download backdoored program dependencies the subsequent time they do a contemporary set up or an update of a Composer package,” Chauchefoin discussed.
That reported, there is no proof the vulnerability has been exploited to day. Fixes have been deployed in Composer versions 1.10.26, 2.2.12, and 2.3.5 immediately after SonarSource noted the flaw on April 7, 2022.
Open up resource code has increasingly come to be a beneficial target of option for menace actors owing to the ease with which they can be weaponized from the application supply chain.
Before this April, SonarSource also detailed a 15-12 months-old security flaw in the PEAR PHP repository that could permit an attacker to receive unauthorized access and publish rogue offers and execute arbitrary code.
“Whilst offer chains can acquire different types, one particular of them is appreciably much more impactful: By getting entry to the servers distributing these third-party software package factors, menace actors can change them to get a foothold in the techniques of their customers,” Chauchefoin said.
Discovered this posting appealing? Observe THN on Fb, Twitter and LinkedIn to browse extra unique material we submit.
Some elements of this post are sourced from: