search

Kiash254 / COM-404E-Project-on-Breast-Cancer-using-ML

0 stars 0 forks source link

Deleted dependency detected #1

Open ashishbijlani opened 10 months ago

ashishbijlani commented 10 months ago

I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks.

Issue

During my research, I found that this repo is vulnerable to attack due to missing deleted dependency from the public PyPI registry.

Details

Specifically, file https://github.com/Kiash254/COM-404E-Project-on-Breast-Cancer-using-ML/blob/1eb8e9c8f008cccd8e26357c31eee0f091bf851a/requirements.txt lists crackmapexec as one of the dependencies. However, it has been deleted from public PyPI. As such, an external bad actor can claim that name and register a malicious package, which will be then installed with pip install command, resulting in arbitrary remote code execution.

Impact

Not only your apps/services using https://github.com/Kiash254/COM-404E-Project-on-Breast-Cancer-using-ML repo code are vulnerable to this attack, but the users of your open-source Github repo could also fall victim.

You could read more about such attacks here: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Remediation

Please manually register a placeholder crackmapexec package on PyPI immediately or remove crackmapexec dependency from https://github.com/Kiash254/COM-404E-Project-on-Breast-Cancer-using-ML/blob/1eb8e9c8f008cccd8e26357c31eee0f091bf851a/requirements.txt to fix this vulnerability.

To automatically fix such issues in future, please install PackjGuard Github app [1].

Thanks!

  1. PackjGuard is a Github app that monitors your repos 24x7, detects vulnerable/malicious/risky open-source dependencies, and creates pull requests for auto remediation: https://github.com/marketplace/packjguard
Kiash254 commented 10 months ago

i will just remove the requirements noted with thanks

On Tue, Dec 19, 2023 at 11:37 PM Ashish Bijlani @.***> wrote:

I'm a Cyber Security researcher and developer of PackjGuard [1] to address open-source software supply chain attacks. Issue

During my research, I found that this repo is vulnerable to attack due to missing deleted dependency from the public PyPI registry. Details

Specifically, file https://github.com/Kiash254/COM-404E-Project-on-Breast-Cancer-using-ML/blob/1eb8e9c8f008cccd8e26357c31eee0f091bf851a/requirements.txt lists crackmapexec as one of the dependencies. However, it has been deleted from public PyPI. As such, an external bad actor can claim that name and register a malicious package, which will be then installed with pip install command, resulting in arbitrary remote code execution. Impact

Not only your apps/services using https://github.com/Kiash254/COM-404E-Project-on-Breast-Cancer-using-ML repo code are vulnerable to this attack, but the users of your open-source Github repo could also fall victim.

You could read more about such attacks here: @.***/dependency-confusion-4a5d60fec610 Remediation

Please manually register a placeholder crackmapexec package on PyPI immediately or remove crackmapexec dependency from https://github.com/Kiash254/COM-404E-Project-on-Breast-Cancer-using-ML/blob/1eb8e9c8f008cccd8e26357c31eee0f091bf851a/requirements.txt to fix this vulnerability.

To automatically fix such issues in future, please install PackjGuard Github app [1].

Thanks!

  1. PackjGuard is a Github app that monitors your repos 24x7, detects vulnerable/malicious/risky open-source dependencies, and creates pull requests for auto remediation: https://github.com/marketplace/packjguard

— Reply to this email directly, view it on GitHub https://github.com/Kiash254/COM-404E-Project-on-Breast-Cancer-using-ML/issues/1, or unsubscribe https://github.com/notifications/unsubscribe-auth/AV5GRXC5MJB7NRBYDYDRLGDYKH3IDAVCNFSM6AAAAABA3YNGGCVHI2DSMVQWIX3LMV43ASLTON2WKOZSGA2DSMZZG4ZDGNI . You are receiving this because you are subscribed to this thread.Message ID: @.*** com>