Dependency Confusion Vulnerability Found in Apache Project

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

A dependency confusion vulnerability has been found within an archived Apache project. 

According to new data by Legit Security, who made the discovery, the finding underscores the importance of scrutinizing third-party projects and dependencies, particularly those archived and potentially neglected in terms of updates and security patches. 

The technical post, published today, suggests that despite the common practice of leaving archived projects untouched under the “if it’s not broken, don’t fix it” mentality, these projects often harbor vulnerabilities that go unaddressed.

Dependency confusion, also known as “dependency hijacking” or “substitution attack,” enables attackers to launch software supply chain attacks by infiltrating vulnerable dependencies in open-source software. 

This exploit occurs when referencing a private/local package, which inadvertently fetches a malicious package similarly named from the public registry due to misconfigurations in package managers.

Read more on similar attacks: New ChatGPT Attack Technique Spreads Malicious Packages

The Legit team demonstrated this vulnerability by exploiting the misconfiguration in the “Cordova App Harness,” an archived Apache project. 

By uploading a malicious package under the same name with a higher version, they successfully hijacked the library, leading to over 100 downloads within three days. This underscores the ongoing use of archived projects and the potential security risks they pose.

Upon exploitation, attackers could execute arbitrary code on the host machine, potentially resulting in Remote Code Execution (RCE) within the production environment. 

The Legit team reported the issue to Apache on March 24. Within a day, Apache acknowledged the report and accepted Legit’s suggested solution to hold a public version of the private package to prevent exploitation by attackers.

The Legit team highlighted that properly configuring package managers is essential to mitigate dependency confusion risks. 

The security researchers emphasized the importance of proactive security measures and best practices, including regular security scans, replacing deprecated projects, secure configuration of dependencies, developer education, and staying informed about emerging threats and best practices. 

By adopting these recommendations, organizations can bolster their security posture and safeguard their software ecosystems against potential breaches and vulnerabilities.

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

Hackers Target New NATO Member Sweden with Surge of DDoS Attacks
Ring to Pay Out $5.6m in Refunds After Customer Privacy Breach
New Guide Explains How to Eliminate the Risk of Shadow SaaS and Protect Corporate Data
The vision behind Starmus – A Q&A with the festival’s co-founder Garik Israelian
Beyond fun and games: Exploring privacy risks in children’s apps

Leave a Reply

Your email address will not be published. Required fields are marked *