gsd-2021-24105
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
Package Managers Configurations Remote Code Execution Vulnerability
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-24105",
"description": "Package Managers Configurations Remote Code Execution Vulnerability",
"id": "GSD-2021-24105",
"references": [
"https://www.suse.com/security/cve/CVE-2021-24105.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-24105"
],
"details": "Package Managers Configurations Remote Code Execution Vulnerability",
"id": "GSD-2021-24105",
"modified": "2023-12-13T01:23:37.212955Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secure@microsoft.com",
"ID": "CVE-2021-24105",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Package Manager Configurations",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "N/A"
}
]
}
}
]
},
"vendor_name": "Microsoft"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "\u003cp\u003eDepending on configuration of various package managers it is possible for an attacker to insert a malicious package into a package manager\u0027s repository which can be retrieved and used during development, build, and release processes. This insertion could lead to remote code execution. We believe this vulnerability affects multiple package managers across multiple languages, including but not limited to: Python/pip, .NET/NuGet, Java/Maven, JavaScript/npm.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eAttack scenarios\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eAn attacker could take advantage of this ecosystem-wide issue to cause harm in a variety of ways. The original attack scenarios were discovered by Alex Birsan and are detailed in their whitepaper, \u003ca href=\"https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610\"\u003eDependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies\u003c/a\u003e.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003eWith basic knowledge of the target ecosystems, an attacker could create an empty shell for a package and insert malicious code in the install scripts, give it a high version, and publish it to the public repository. Vulnerable victim machines will download the higher version of the package between the public and private repositories and attempt to install it. Due to code incompatibility it will probably error out upon import or upon compilation, making it easier to detect; however the attacker would have gained code execution by that point.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003eAn advanced attacker with some inside knowledge of the target could take a copy of a working package, insert the malicious code (in the package itself or in the install), and then publish it to a public repository. The package will likely install and import correctly, granting the attacker an initial foothold and persistence.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThese two methods could affect target organizations at any of these various levels:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDeveloper machines\u003c/li\u003e\n\u003cli\u003eAn entire team if the configuration to import the malicious package is uploaded to a code repository\u003c/li\u003e\n\u003cli\u003eContinuous integration pipelines if they pull the malicious packages during the build, test, and/or deploy stages\u003c/li\u003e\n\u003cli\u003eCustomers, download servers, production services if the malicious code has not been detected\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis remote code execution vulnerability can only be addressed by reconfiguring installation tools and workflows, and not by correcting anything in the package repositories themselves. See the \u003cstrong\u003eFAQ\u003c/strong\u003e section of this CVE for configuration guidance.\u003c/p\u003e\n"
}
]
},
"impact": {
"cvss": [
{
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24105",
"refsource": "MISC",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24105"
}
]
}
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:package_manager_configurations:-:*:*:*:*:*:*:*",
"matchCriteriaId": "71D274DE-99A4-4FC3-A43B-53A2D68A0E09",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "\u003cp\u003eDepending on configuration of various package managers it is possible for an attacker to insert a malicious package into a package manager\u0027s repository which can be retrieved and used during development, build, and release processes. This insertion could lead to remote code execution. We believe this vulnerability affects multiple package managers across multiple languages, including but not limited to: Python/pip, .NET/NuGet, Java/Maven, JavaScript/npm.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eAttack scenarios\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eAn attacker could take advantage of this ecosystem-wide issue to cause harm in a variety of ways. The original attack scenarios were discovered by Alex Birsan and are detailed in their whitepaper, \u003ca href=\"https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610\"\u003eDependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies\u003c/a\u003e.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003eWith basic knowledge of the target ecosystems, an attacker could create an empty shell for a package and insert malicious code in the install scripts, give it a high version, and publish it to the public repository. Vulnerable victim machines will download the higher version of the package between the public and private repositories and attempt to install it. Due to code incompatibility it will probably error out upon import or upon compilation, making it easier to detect; however the attacker would have gained code execution by that point.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003eAn advanced attacker with some inside knowledge of the target could take a copy of a working package, insert the malicious code (in the package itself or in the install), and then publish it to a public repository. The package will likely install and import correctly, granting the attacker an initial foothold and persistence.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThese two methods could affect target organizations at any of these various levels:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDeveloper machines\u003c/li\u003e\n\u003cli\u003eAn entire team if the configuration to import the malicious package is uploaded to a code repository\u003c/li\u003e\n\u003cli\u003eContinuous integration pipelines if they pull the malicious packages during the build, test, and/or deploy stages\u003c/li\u003e\n\u003cli\u003eCustomers, download servers, production services if the malicious code has not been detected\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis remote code execution vulnerability can only be addressed by reconfiguring installation tools and workflows, and not by correcting anything in the package repositories themselves. See the \u003cstrong\u003eFAQ\u003c/strong\u003e section of this CVE for configuration guidance.\u003c/p\u003e\n"
},
{
"lang": "es",
"value": "Una Vulnerabilidad de Ejecuci\u00f3n de C\u00f3digo Remota en Package Managers Configurations"
}
],
"id": "CVE-2021-24105",
"lastModified": "2023-12-29T17:15:58.113",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.5,
"impactScore": 5.9,
"source": "secure@microsoft.com",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
},
"published": "2021-02-25T23:15:16.303",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24105"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…