Dependency Confusion Flaw Found in Old Apache Code

Recently, security researchers identified a new vulnerability known as Dependency Confusion, affecting an archived Apache project titled Cordova App Harness.

This vulnerability enables malefactors to manipulate package managers into downloading a fraudulent package from a public repository instead of the intended private one, posing significant risks to the supply chain, including the potential infection of all clients who install the said package.

A security analysis conducted by Orca in May last year revealed that nearly 49% of organizations are susceptible to Dependency Confusion attacks.

Despite npm and other package managers implementing measures to prioritize private versions, Legit Security discovered that the Cordova App Harness project references an internal dependency without specifying a relative file path, rendering it vulnerable.

The Apache Software Foundation ceased support for the project on April 18, 2019, but as researchers found, avenues for supply chain attacks remain open. The fraudulent version of the package uploaded to npm garnered more than 100 downloads, indicating that the project is still utilized by real developers, thereby presenting serious risks to the entire software supply chain.

The Apache security team has since taken control of the cordova-harness-client package to avert further attacks, thus mitigating the immediate threat this time.

Experts recommend that organizations always create public stub packages in such instances to prevent attacks exploiting Dependency Confusion.

As security researcher Ofek Haviv noted, this discovery underscores the necessity of considering third-party projects and dependencies as potential vulnerabilities in the software development process, particularly concerning archived open projects that may not receive regular updates or security patches.