Researchers have recognized a dependency confusion vulnerability impacting an archived Apache undertaking known as Cordova App Harness.
Dependency confusion assaults happen owing to the truth that bundle managers examine the general public repositories earlier than non-public registries, thus permitting a risk actor to publish a malicious bundle with the identical identify to a public bundle repository.
This causes the bundle supervisor to inadvertently obtain the fraudulent bundle from the general public repository as an alternative of the meant non-public repository. If profitable, it might probably have critical penalties, comparable to putting in all downstream clients that set up the bundle.
A Might 2023 evaluation of npm and PyPI packages saved in cloud environments by cloud security firm Orca revealed that just about 49% of organizations are weak to a dependency confusion assault.
Whereas npm and different bundle managers have since launched fixes to prioritize the non-public variations, utility security agency Legit Safety stated it discovered the Cordova App Harness undertaking to reference an inside dependency named cordova-harness-client with no relative file path.
The open-source initiative was discontinued by the Apache Software program Basis (ASF) as of April 18, 2019.
As Legit Safety demonstrated, this left the door extensive open for a provide chain assault by importing a malicious model underneath the identical identify with the next model quantity, thus inflicting npm to retrieve the bogus model from the general public registry.
With the bogus bundle attracting over 100 downloads after being uploaded to npm, it signifies that the archived undertaking continues to be being put to make use of, seemingly posing extreme dangers to customers.
In a hypothetical assault situation, an attacker might hijack the library to serve malicious code that could possibly be executed on the goal host upon bundle set up.
The Apache security workforce has since addressed the issue by taking possession of the cordova-harness-client bundle. It is value noting that organizations are suggested to create public packages as placeholders to forestall dependency confusion assaults.
“This discovery highlights the necessity to contemplate third-party initiatives and dependencies as potential weak hyperlinks within the software program improvement manufacturing unit, particularly archived open-source initiatives that will not obtain common updates or security patches,” security researcher Ofek Haviv stated.
“Though it could appear tempting to depart them as is, these initiatives are likely to have vulnerabilities that aren’t getting consideration and never prone to be fastened.”
