5 October 2022

Researchers share details on a supply chain vulnerability in Packagist PHP repository


Researchers share details on a supply chain vulnerability in Packagist PHP repository

Researchers at code security company SonarSource released technical details on the now-patched vulnerability affecting Packagist, which could have been abused to launch supply chain attacks targeting the PHP community.

The flaw, tracked as CVE-2022-24828, impacts the PHP package manager Composer, which serves 2 billion software packages every month. The vulnerability is a command injection issue that allows a remote attacker to execute arbitrary shell commands on the target system by passing specially crafted data to the application, if the Mercurial or the Git driver are used.

“An attacker controlling a Git or Mercurial repository explicitly listed by URL in a project's composer.json can use specially crafted branch names to execute commands on the machine running composer update,” the maintainers wrote in an April 2022 advisory.

The vulnerability was patched with the release of the Composer versions 2.3.5, 2.2.12, 1.10.26 in April 2022.

SonarSource says that the vulnerability could have been used to hijack over a hundred million of requests to distribute malicious dependencies and compromise millions of servers.

CVE-2022-24828 is related to another similar Composer bug (CVE-2021-29472) that came to light in April 2021, the researchers said, adding that they didn’t find evidence that the flaw was exploited by malicious actors.


Back to the list

Latest Posts

Microsoft: Russia combines missile and cyberattacks in Ukraine

Microsoft: Russia combines missile and cyberattacks in Ukraine

In parallel with cyber threat activity Russia would likely conduct influence operations targeting Europe to undermine military and humanitarian assistance to Ukraine.
5 December 2022
Spanish police dismantle 'Black Panthers' SIM swap group

Spanish police dismantle 'Black Panthers' SIM swap group

The scammers stole about €250,000 from nearly 100 victims.
5 December 2022
Google releases emergency security update to fix Chrome zero-day bug

Google releases emergency security update to fix Chrome zero-day bug

With the new update the tech giant fixed the ninth Chrome zero-day since the start of 2022.
5 December 2022