Incorrect metadata on GHSA-688c-gxc8-6xqp #5248
Comments
|
See also ossf/malicious-packages#799 for informative discussion. I am available for real-time discussion in the OpenSSF Slack under the username Lucas Gonze. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
GHSA-688c-gxc8-6xqp is a dependency confusion attack on nr-reports-core. The metadata is incorrect in ways specific to this type of attack.
Description
The attempted substitution is for a sub-package within the top-level package nr-reports. My work here is to restore the target of the attack to a functioning state. That target is within https://github.com/newrelic/nr-reports at the subdirectory https://github.com/newrelic/nr-reports/tree/main/nr-reports-cli. It can only be accessed by:
There is no public version of the original package in NPM. Only the substitute was available there. NPMJS.org has disabled the substitute package, so it is no longer accessible.
It is important to correct these because they perpetuate the harm caused by the attack. The underlying package under attack is entirely blocked as a result of these inaccuracies, which magnifies the damage. There is no longer any risk to the user community because the substituted malicious package is offline.
Corrections
In the Advisory, the version introduced is listed as 0, with no patch. This is wrong. The targeted versions are 0.0.1 and 1.1.1. The version on the current release (the real one, not the substitute) is 3.4.0. If the version listed in the metadata were correct, the attack would fail and the targets would return to a functioning state. In the meantime the target package cannot be used in any version.
The CWE in the advisory is incorrect. It is given as:
However, that is wrong. A dependency confusion attack is classified as CWE-427: Uncontrolled Search Path Element.
The text was updated successfully, but these errors were encountered: