Vulnerability in Apache Project  Let Hackers Launch Supply Chain Attacks

Researchers discovered a vulnerability in an archived Apache project, highlighting the risk of using outdated third-party dependencies, where attackers can exploit the way package managers prioritize public repositories to install a malicious package with the same name as a legitimate private dependency. 

The vulnerability is especially concerning for archived projects, as they likely won’t receive security patches, emphasizing the importance of carefully managing dependencies and considering the security implications of using outdated open-source components. 

Dependency confusion, a software supply chain attack, exploits package manager behavior by prioritizing public repositories, where the attackers place a malicious package with the same name as a private dependency in a public repository. 

During installation, the unsuspecting system downloads the public package instead of the intended private one, potentially injecting malicious code. To mitigate this, package managers now offer configurations to prioritize private repositories, but improper configuration leaves systems vulnerable. 

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

While analyzing open-source projects, a potential vulnerability is identified in the archived “Cordova App Harness” by Apache, and the project relies on a local dependency named “cordova-harness-client” referenced in the package.json file. 

local dependency called “cordova-harness-client

The dependency is located within the project’s node_modules directory, suggesting a potential local path traversal issue if not properly sanitized. 

A vulnerability in NPM dependency resolution allows attackers to publish malicious packages with higher versions that supersede locally linked packages and by referencing a local package with a relative file path in the `package.json`, developers can mitigate this risk. 

The package behind the dependency is placed under node_modules/cordova-harness-client.

An experiment where a public, harmless package with a higher version number was published revealed over 100 downloads in just three days, indicating the referenced local library is likely still in use and potentially vulnerable to a real attack. 

The finding suggests an archived parent application, Cordova App Harness, might have security risks due to its continued use of a potentially vulnerable local dependency. 

Weekly Downloads

A vulnerability exists that allows attackers to remotely execute arbitrary code on the system running the targeted application, which leverages the application’s privileges, granting the attacker the same level of access on the compromised machine. 

A vulnerability in a public npm package was discovered on March 17th, 2024; despite the first version being released the same day, downloads began on March 19th and to prevent exploitation, a detailed report with a mitigation strategy (holding a public version of the private package) was sent to the Apache security team on March 24th. 

According to Legit Security, the team acknowledged the report on March 25th. The public version was transferred to them on March 26th, while dependency confusion exploits weaknesses in package manager configurations to inject malicious code. 

Attackers can abuse naming conventions, package manager behaviors, and repository setups. To mitigate these risks, organizations must properly configure package managers, like NPM, which involves specifying trusted repositories and enforcing version control to ensure legitimate dependencies are downloaded, reducing the attack surface for dependency confusion. 

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 

Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.