Researchers have recognized a dependency confusion vulnerability impacting an archived Apache undertaking referred to as Cordova App Harness.
Dependency confusion assaults happen owing to the truth that bundle managers verify the general public repositories earlier than personal registries, thus permitting a menace actor to publish a malicious bundle with the identical title to a public bundle repository.
This causes the bundle supervisor to inadvertently obtain the fraudulent bundle from the general public repository as a substitute of the supposed personal repository. If profitable, it may have severe penalties, corresponding to putting in all downstream clients that set up the bundle.
A Could 2023 evaluation of npm and PyPI packages saved in cloud environments by cloud safety firm Orca revealed that just about 49% of organizations are susceptible to a dependency confusion assault.
Whereas npm and different bundle managers have since launched fixes to prioritize the personal variations, utility safety agency Legit Safety mentioned it discovered the Cordova App Harness undertaking to reference an inside dependency named cordova-harness-client with no relative file path.
The open-source initiative was discontinued by the Apache Software program Basis (ASF) as of April 18, 2019.
As Legit Safety demonstrated, this left the door vast open for a provide chain assault by importing a malicious model below the identical title with a better model quantity, thus inflicting npm to retrieve the bogus model from the general public registry.
With the bogus bundle attracting over 100 downloads after being uploaded to npm, it signifies that the archived undertaking remains to be being put to make use of, probably posing extreme dangers to customers.
In a hypothetical assault state of affairs, an attacker might hijack the library to serve malicious code that might be executed on the goal host upon bundle set up.
The Apache safety group has since addressed the issue by taking possession of the cordova-harness-client bundle. It is value noting that organizations are suggested to create public packages as placeholders to stop dependency confusion assaults.
“This discovery highlights the necessity to take into account third-party tasks and dependencies as potential weak hyperlinks within the software program improvement manufacturing unit, particularly archived open-source tasks that will not obtain common updates or safety patches,” safety researcher Ofek Haviv mentioned.
“Though it could appear tempting to depart them as is, these tasks are inclined to have vulnerabilities that aren’t getting consideration and never more likely to be mounted.”
