"Dependency Confusion Vulnerability Found in Apache Project"

Researchers at Legit Security discovered a dependency confusion vulnerability in an archived Apache project. The finding emphasizes the importance of analyzing third-party projects and dependencies, especially those that have been archived or possibly neglected when it comes to security updates. Dependency confusion, also known as "dependency hijacking" or "substitution attack," allows attackers to launch software supply chain attacks by exploiting vulnerable dependencies in open source software. This issue arises when a private/local package is referenced that leads to the inadvertent retrieval of a malicious package with a similar name from the public registry due to package manager misconfigurations. This article continues to discuss the discovery of a dependency confusion vulnerability in an archived Apache project. 

Infosecurity Magazine reports "Dependency Confusion Vulnerability Found in Apache Project"

Submitted by grigby1

Submitted by grigby1 CPVI on