The maintainers of Composer, a package deal manager for PHP, have delivered an update to handle a important vulnerability that could have permitted an attacker to execute arbitrary commands and “backdoor every PHP package,” ensuing in a source-chain assault.
Tracked as CVE-2021-29472, the protection difficulty was identified and reported on April 22 by scientists from SonarSource, next which a hotfix was deployed significantly less than 12 hours afterwards.
“Mounted command injection vulnerability in HgDriver/HgDownloader and hardened other VCS motorists and downloaders,” Composer reported its launch notes for variations 2..13 and 1.10.22 published on Wednesday. “To the most effective of our knowledge the vulnerability has not been exploited.”
Composer is billed as a resource for dependency administration in PHP, enabling straightforward installation of offers pertinent to a challenge. It also permits end users to install PHP programs that are obtainable on Packagist, a repository that aggregates all general public PHP packages installable with Composer.
According to SonarSource, the vulnerability stems from the way offer supply download URLs are dealt with, possibly major to a circumstance exactly where an adversary could result in distant command injection. As proof of this conduct, the researchers exploited the argument injection flaw to craft a malicious Mercurial repository URL that will take edge of its “alias” choice to execute a shell command of the attacker’s preference.
“A vulnerability in such a central element, serving additional than 100 million bundle metadata requests per month, has a huge effect as this accessibility could have been employed to steal maintainers’ credentials or to redirect bundle downloads to 3rd-celebration servers offering backdoored dependencies,” SonarSource claimed.
The Geneva-dependent code security firm mentioned one particular of the bugs was introduced in November 2011, suggesting that the vulnerable code lurked suitable from the time growth on Composer started off 10 many years back. The initial “alpha” edition of Composer was unveiled on July 3, 2013.
“The influence to Composer people immediately is minimal as the composer.json file is typically beneath their have management and source obtain URLs can only be equipped by 3rd bash Composer repositories they explicitly believe in to obtain and execute supply code from, e.g. Composer plugins,” Jordi Boggiano, a person of the key builders powering Composer, stated.