The maintainers of Composer, a package deal manager for PHP, have transported an update to handle a critical vulnerability that could have allowed an attacker to execute arbitrary instructions and “backdoor just about every PHP bundle,” ensuing in a source-chain attack.
Tracked as CVE-2021-29472, the security issue was learned and reported on April 22 by scientists from SonarSource, subsequent which a hotfix was deployed much less than 12 several hours later.
“Mounted command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders,” Composer reported its release notes for versions 2..13 and 1.10.22 revealed on Wednesday. “To the greatest of our knowledge the vulnerability has not been exploited.”
Composer is billed as a software for dependency administration in PHP, enabling uncomplicated set up of packages applicable to a project. It also lets people to install PHP applications that are obtainable on Packagist, a repository that aggregates all community PHP offers installable with Composer.
In accordance to SonarSource, the vulnerability stems from the way package deal source obtain URLs are taken care of, possibly foremost to a state of affairs exactly where an adversary could trigger remote command injection. As proof of this conduct, the researchers exploited the argument injection flaw to craft a malicious Mercurial repository URL that usually takes edge of its “alias” possibility to execute a shell command of the attacker’s alternative.
“A vulnerability in such a central ingredient, serving a lot more than 100 million bundle metadata requests per month, has a big impression as this accessibility could have been made use of to steal maintainers’ credentials or to redirect bundle downloads to third-celebration servers delivering backdoored dependencies,” SonarSource stated.
The Geneva-based mostly code security agency explained a person of the bugs was launched in November 2011, suggesting that the vulnerable code lurked ideal from the time growth on Composer started off 10 yrs ago. The initially “alpha” edition of Composer was released on July 3, 2013.
“The impact to Composer consumers directly is confined as the composer.json file is ordinarily underneath their very own manage and source download URLs can only be equipped by third social gathering Composer repositories they explicitly believe in to download and execute supply code from, e.g. Composer plugins,” Jordi Boggiano, one of the primary developers powering Composer, stated.
Discovered this write-up attention-grabbing? Follow THN on Facebook, Twitter and LinkedIn to study more distinctive written content we article.
Some parts of this article are sourced from:
thehackernews.com