A dependency confusion vulnerability has been found within an archived Apache project.
According to new data by Legit Security, who made the discovery, the finding underscores the importance of scrutinizing third-party projects and dependencies, particularly those archived and potentially neglected in terms of updates and security patches.
The technical post, published today, suggests that despite the common practice of leaving archived projects untouched under the “if it’s not broken, don’t fix it” mentality, these projects often harbor vulnerabilities that go unaddressed.
Dependency confusion, also known as “dependency hijacking” or “substitution attack,” enables attackers to launch software supply chain attacks by infiltrating vulnerable dependencies in open-source software.
This exploit occurs when referencing a private/local package, which inadvertently fetches a malicious package similarly named from the public registry due to misconfigurations in package managers.
Read more on similar attacks: New ChatGPT Attack Technique Spreads Malicious Packages
The Legit team demonstrated this vulnerability by exploiting the misconfiguration in the “Cordova App Harness,” an archived Apache project.
By uploading a malicious package under the same name with a higher version, they successfully hijacked the library, leading to over 100 downloads within three days. This underscores the ongoing use of archived projects and the potential security risks they pose.
Upon exploitation, attackers could execute arbitrary code on the host machine, potentially resulting in Remote Code Execution (RCE) within the production environment.
The Legit team reported the issue to Apache on March 24. Within a day, Apache acknowledged the report and accepted Legit’s suggested solution to hold a public version of the private package to prevent exploitation by attackers.
The Legit team highlighted that properly configuring package managers is essential to mitigate dependency confusion risks.
The security researchers emphasized the importance of proactive security measures and best practices, including regular security scans, replacing deprecated projects, secure configuration of dependencies, developer education, and staying informed about emerging threats and best practices.
By adopting these recommendations, organizations can bolster their security posture and safeguard their software ecosystems against potential breaches and vulnerabilities.