Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks.
“This vulnerability allows gaining control of Packagist,” SonarSource researcher Thomas Chauchefoin said in a report shared with The Hacker News. Packagist is used by the PHP package manager Composer to determine and download software dependencies that are included by developers in their projects.
The disclosure comes as planting malware in open source repositories is turning into an attractive conduit for mounting software supply chain attacks.
Tracked as CVE-2022-24828 (CVSS score: 8.8), the issue has been described as a case of command injection and is linked to another similar Composer bug (CVE-2021-29472) that came to light in April 2021, suggesting an inadequate patch.
“An attacker controlling a Git or Mercurial repository explicitly listed by URL in a project’s composer.json can use specially crafted branch names to execute commands on the machine running composer update,” Packagist disclosed in an April 2022 advisory.
A successful exploitation of the flaw meant that requests to update a package could have been hijacked to distribute malicious dependencies by executing arbitrary commands on the backend server running the official instance of Packagist.
“Compromising [the backend services] would allow attackers to force users to download backdoored software dependencies the next time they do a fresh install or an update of a Composer package,” Chauchefoin explained.
That said, there is no evidence the vulnerability has been exploited to date. Fixes have been deployed in Composer versions 1.10.26, 2.2.12, and 2.3.5 after SonarSource reported the flaw on April 7, 2022.
Open source code has increasingly become a lucrative target of choice for threat actors owing to the ease with which they can be weaponized against the software supply chain.
Earlier this April, SonarSource also detailed a 15-year-old security flaw in the PEAR PHP repository that could permit an attacker to obtain unauthorized access and publish rogue packages and execute arbitrary code.
“While supply chains can take different forms, one of them is significantly more impactful: By gaining access to the servers distributing these third-party software components, threat actors can alter them to obtain a foothold in the systems of their users,” Chauchefoin said.