A supply chain attack targeting the PHP community might have been possible using this vulnerability if it had been exploited.
In PHP dependency managers, Composer uses Packagist as the default repository to store the dependencies. The purpose of this is to aggregate all the public PHP packages that can be installed by using Composer.
Over 2 billion packages are downloaded using Composer every month, which is a significant number.
Various malicious dependencies could have been distributed through the newly discovered vulnerability, which could have led to the compromise of millions of servers if it had been abused effectively.
It is reported that the vulnerability has been tracked as CVE-2022-24828, and it’s a command injection vulnerability. Input that is interpreted by Composer as parameters may be controlled by an attacker through this flaw.
CVE-2022-24828 is also associated with CVE-2021-29472, which is another vulnerability reported for Composer, associated with command injection.
It is possible for an attacker to make use of this vulnerability to target Packagist(.)org and Private Packagist, as a result of their control over a Git or Mercurial repository.
Demonstration of CVE-2022-24828
Anyone with access to a repository controlled by Git or Mercurial may be able to exploit the composition tool via the branch names contained in a project’s composer.json file, which is explicitly listed by URL in the file.
Those who wish to take advantage of this vulnerability would need to create a Mercurial repository in which they could create a project for the exploit. Then, create a malicious ‘readme’ entry in composer.json and add a manifest to it.
After creating the .sh payload, it should be used to perform the desired action, and then be imported to Packagist as a package.
It is recommended that you upgrade to the following versions of Composer if you are integrating it as a library and working with untrusted repositories.
The Packagist maintainers were notified on April 7 about this vulnerability and a immediate patch was published the day after that. It is important to point out that there have been no incidents of exploitation in the wild reported as well.