Researchers have recognized a dependency confusion vulnerability impacting an archived Apache challenge known as Cordova App Harness.
Dependency confusion assaults happen owing to the truth that bundle managers examine the general public repositories earlier than personal registries, thus permitting a risk actor to publish a malicious bundle with the identical title to a public bundle repository.
This causes the bundle supervisor to inadvertently obtain the fraudulent bundle from the general public repository as a substitute of the supposed personal repository. If profitable, it might have severe penalties, resembling putting in all downstream clients that set up the bundle.
A Might 2023 evaluation of npm and PyPI packages saved in cloud environments by cloud safety firm Orca revealed that almost 49% of organizations are susceptible to a dependency confusion assault.
Whereas npm and different bundle managers have since launched fixes to prioritize the personal variations, software safety agency Legit Safety mentioned it discovered the Cordova App Harness challenge to reference an inside dependency named cordova-harness-client and not using a relative file path.
The open-source initiative was discontinued by the Apache Software program Basis (ASF) as of April 18, 2019.
As Legit Safety demonstrated, this left the door large open for a provide chain assault by importing a malicious model below the identical title with a better model quantity, thus inflicting npm to retrieve the bogus model from the general public registry.
With the bogus bundle attracting over 100 downloads after being uploaded to npm, it signifies that the archived challenge continues to be being put to make use of, possible posing extreme dangers to customers.
In a hypothetical assault state of affairs, an attacker may hijack the library to serve malicious code that may very well be executed on the goal host upon bundle set up.
The Apache safety staff has since addressed the issue by taking possession of the cordova-harness-client bundle. It is price noting that organizations are suggested to create public packages as placeholders to forestall dependency confusion assaults.
“This discovery highlights the need to consider third-party projects and dependencies as potential weak links in the software development factory, especially archived open-source projects that may not receive regular updates or security patches,” safety researcher Ofek Haviv mentioned.
“Although it may seem tempting to leave them as is, these projects tend to have vulnerabilities that are not getting attention and not likely to be fixed.”