Dependency Confusion Vulnerability Found in Apache Project
-
- A dependency confusion vulnerability has been discovered in an archived Apache project by Legit Security. This finding emphasizes the need to thoroughly examine third-party projects and dependencies, especially those archived and potentially neglected in terms of updates and security patches. Dependency confusion, also known as “dependency hijacking,” allows attackers to infiltrate vulnerable dependencies in open-source software, potentially leading to software supply chain attacks. The Legit team demonstrated this vulnerability by exploiting a misconfiguration in the “Cordova App Harness” project, leading to over 100 downloads of a malicious package within three days. This highlights the ongoing use of archived projects and the security risks they may pose. Upon exploitation, attackers could execute arbitrary code on the host machine, potentially resulting in Remote Code Execution (RCE) within the production environment. Apache was promptly notified of the issue by Legit on March 24, and they swiftly acknowledged the report and accepted Legit’s solution to prevent exploitation. Properly configuring package managers is crucial to mitigate dependency confusion risks, according to the security researchers. They stress the importance of proactive security measures and best practices, such as regular security scans, replacing deprecated projects, secure configuration of dependencies, developer education, and staying informed about emerging threats. By adhering to these recommendations, organizations can enhance their security posture and protect their software ecosystems from potential breaches and vulnerabilities.
ที่มาแหล่งข่าว
https://www.infosecurity-magazine.com/news/dependency-confusion-flaw-found/