Package Managers suffers multiple security flaws
Multiple security vulnerabilities have been disclosed in popular package managers that could be abused to run arbitrary code and access sensitive information, including source code and access tokens, from compromised machines.
The flaws require the targeted developers to handle a malicious package in conjunction with one of the affected package managers. Package managers refer to systems or a set of tools that are used to automate installing, upgrading, configuring third-party dependencies required for developing applications.
The newly discovered issues in various package managers highlight that they could be weaponized by attackers to trick victims into executing malicious code. The flaws have been identified in the following package managers –
· Composer 1.x < 1.10.23 and 2.x < 2.1.9
· Bundler < 2.2.33
· Bower < 1.8.13
· Poetry < 1.1.9
· Yarn < 1.22.13
· pnpm < 6.15.1
· Pip (no fix), and
· Pipenv (no fix)
Additional argument injection and untrusted search path vulnerabilities discovered in Bundler, Poetry, Yarn, Composer, Pip, and Pipenv meant that a bad actor could gain code execution by means of a malware-laced git executable or an attacker-controlled file such as a Gemfile that is used to specify the dependencies for Ruby programs.
The chief among the weaknesses is a command injection flaw in Composer's browse command that could be abused to achieve arbitrary code execution by inserting a URL to an already published malicious package.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.