April 23, 2024 at 11:28AM
Researchers have found a vulnerability in the archived Apache project Cordova App Harness, leading to dependency confusion attacks. Over 49% of organizations are vulnerable. Despite npm’s efforts to fix the issue, the Cordova App Harness project remains at risk. The discovery emphasizes the importance of addressing vulnerabilities in third-party projects and dependencies.
Key Takeaways from Meeting Notes:
1. Dependency Confusion Vulnerability: A vulnerability affecting the archived Apache project Cordova App Harness has been identified by researchers. This vulnerability can lead to dependency confusion attacks, allowing a threat actor to publish a malicious package with the same name to a public package repository, potentially causing serious consequences for downstream customers.
2. Vulnerability Statistics: A May 2023 analysis by cloud security company Orca revealed that nearly 49% of organizations are vulnerable to a dependency confusion attack due to packages stored in cloud environments.
3. Fixes and Vulnerability: While npm and other package managers have introduced fixes, the Cordova App Harness project remains vulnerable due to referencing an internal dependency without a relative file path, leading to a potential supply chain attack.
4. Supply Chain Attack: Legit Security demonstrated the potential for a supply chain attack by uploading a malicious version with a higher version number, causing npm to retrieve the bogus version from the public registry. This resulted in over 100 downloads of the malicious package, indicating potential severe risks to users.
5. Hypothetical Attack Scenario: An attacker could hijack the library to serve malicious code that could be executed on the target host upon package installation.
6. Security Team Response: The Apache security team has addressed the problem by taking ownership of the vulnerable package. Organizations are advised to create public packages as placeholders to prevent dependency confusion attacks.
7. Security Implication: The discovery highlights the need to consider third-party projects and dependencies as potential weak links, particularly for archived open-source projects that may not receive regular updates or security patches.
Please let me know if you need any further details or if there are additional points you would like to discuss.