Researchers Report Supply Chain Vulnerability in Packagist PHP Repository
Oct 04, 2022
Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks. "This vulnerability allows gaining control of Packagist ," SonarSource researcher Thomas Chauchefoin said in a report shared with The Hacker News. Packagist is used by the PHP package manager Composer to determine and download software dependencies that are included by developers in their projects. The disclosure comes as planting malware in open source repositories is turning into an attractive conduit for performing software supply chain attacks . Tracked as CVE-2022-24828 (CVSS score: 8.8), the issue has been described as a case of command injection and is linked to another similar Composer bug ( CVE-2021-29472 ) that came to light in April 2021, suggesting an inadequate patch. "An attacker controlling a Git or Mercurial repository explicitly listed by UR