Описание
Depending on configuration of various package managers it is possible for an attacker to insert a malicious package into a package manager's repository which can be retrieved and used during development, build, and release processes. This insertion could lead to remote code execution. We believe this vulnerability affects multiple package managers across multiple languages, including but not limited to: Python/pip, .NET/NuGet, Java/Maven, JavaScript/npm.
Attack scenarios
An attacker could take advantage of this ecosystem-wide issue to cause harm in a variety of ways. The original attack scenarios were discovered by Alex Birsan and are detailed in their whitepaper, Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies.
With basic knowledge of the target ecosystems, an attacker could create an empty shell for a package and inse
Ссылки
- PatchVendor Advisory
- PatchVendor Advisory
Уязвимые конфигурации
EPSS
8.4 High
CVSS3
7.8 High
CVSS3
6.8 Medium
CVSS2
Дефекты
Связанные уязвимости
Package Managers Configurations Remote Code Execution Vulnerability
Package Managers Configurations Remote Code Execution Vulnerability
EPSS
8.4 High
CVSS3
7.8 High
CVSS3
6.8 Medium
CVSS2