The maintainers of Composer, a package deal supervisor for PHP, have shipped an replace to handle a important vulnerability that would have allowed an attacker to execute arbitrary instructions and “backdoor each PHP package deal,” leading to a supply-chain assault.
Tracked as CVE-2021-29472, the safety difficulty was found and reported on April 22 by researchers from SonarSource, following which a hotfix was deployed lower than 12 hours later.
“Mounted command injection vulnerability in HgDriver/HgDownloader and hardened different VCS drivers and downloaders,” Composer said its release notes for variations 2.0.13 and 1.10.22 printed on Wednesday. “To one of the best of our data the vulnerability has not been exploited.”
Composer is billed as a software for dependency administration in PHP, enabling simple set up of packages related to a mission. It additionally permits customers to put in PHP purposes which can be accessible on Packagist, a repository that aggregates all public PHP packages installable with Composer.
In accordance with SonarSource, the vulnerability stems from the best way package deal supply obtain URLs are dealt with, doubtlessly resulting in a situation the place an adversary might set off distant command injection. As proof of this conduct, the researchers exploited the argument injection flaw to craft a malicious Mercurial repository URL that takes benefit of its “alias” choice to execute a shell command of the attacker’s selection.
“A vulnerability in such a central part, serving greater than 100 million package deal metadata requests per 30 days, has a huge effect as this entry might have been used to steal maintainers’ credentials or to redirect package deal downloads to third-party servers delivering backdoored dependencies,” SonarSource mentioned.
The Geneva-based code safety agency mentioned one of many bugs was introduced in November 2011, suggesting that the susceptible code lurked proper from the time growth on Composer began 10 years in the past. The primary “alpha” model of Composer was launched on July 3, 2013.
“The affect to Composer customers straight is restricted because the composer.json file is often below their very own management and supply obtain URLs can solely be provided by third celebration Composer repositories they explicitly belief to obtain and execute supply code from, e.g. Composer plugins,” Jordi Boggiano, one of many major builders behind Composer, said.