Supply-Chain Attacks Could Be Possible Due to a PHP Composer Bug

5
Supply-Chain Attacks Could Be Possible Due to a PHP Composer Bug

A command injection security vulnerability (CVE-2021-29472) was discovered in a common PHP package by a security researcher from SonarSource. An attacker can exploit this flaw to run arbitrary commands and install a backdoor in any PHP package, resulting in a supply-chain attack.

A crucial vulnerability in Composer’s source code was discovered during security research. Researchers could use the vulnerability to execute arbitrary device commands on the Packagist[.]org server. Improper sanitization of URLs for repos in root composer.json files is the source of the vulnerability. The package’s source download URL could be interpreted as a list of options for Composer’s device commands.

To Read More: Cyware