A vulnerability was discovered in an archived Apache project, emphasizing the risk of utilizing outdated dependencies, where attackers exploit package managers by inserting a malicious package with the same name as a private dependency in public repositories, affecting systems that prioritize public over private packages. This issue is particularly critical for archived projects lacking security updates, underscoring the need for vigilant dependency management and the consideration of security implications when using obsolete open-source components. Dependency confusion, categorised as a software supply chain attack, takes advantage of package manager behavior, potentially injecting harmful code during installation
While package managers now offer settings to prioritize private repositories, incorrect configurations expose systems to vulnerabilities. An investigation into the Cordova App Harness project revealed a possible vulnerability related to a local dependency, cordova-harness-client, highlighting a potential local path traversal risk. By leveraging a flaw in NPM dependency resolution, attackers can override local packages with malicious higher versions. Despite efforts to repair these vulnerabilities and provide mitigation strategies to the Apache security team, dependency confusion persists, necessitating well-structured package manager settings and version control to mitigate risks and safeguard against malicious attacks.https://cybersecuritynews.com/vulnerability-found-in-an-archived-apache-project/