PyPI fixes supply chain vulnerabilities
In an attempt to patch the Supply chain defect, the Python Package Index (PyPI) maintainers published a fix for three vulnerabilities last week. One of them allows the attacker to execute arbitrary commands or code on a target machine. This can grant complete access to official third-party software repositories.
The security weakness was highlighted by RyotaK, a Japanese Researcher. He enjoys the credits of discovering vulnerabilities in the past, including the Homebrew cask repository and Cloudflare CDNJS library.
PyPI repository is the official third-party software repository for the Python programming language. The site, along with the official Python pip package installer, allows developers and newbies to easily find and install the required Python components for their projects.
The identified vulnerabilities are as under:
- Vulnerability in Legacy document deletion – allows the attackers to eradicate project documentations on PyPI not under their control.
- Vulnerability in Role deletion – allows intruders to eliminate roles on PyPI not under their control
- Vulnerability in GitHub action workflow -allows the attackers to obtain write permissions for the warehouse repository
Where the first two vulnerabilities are identified as low-impact, the Japanese researcher deemed the third one to be a critical one. This is because it can allow the attacker to run commands on the PyPI’s infrastructure. This will immediately allow access to the code base, enabling modification of the PyPI code itself.
The supply chain vulnerabilities are critical, and only a few people are researching or working to protect their systems. As claimed by RyotaK, the vulnerabilities identified here had weight too. Therefore it is advised to contribute more towards enhancing the security in the supply chain arena.
In light of his work, the researcher is awarded $1000 by the Python Software Foundation for each of his bug reports. He has also been publicly praised for his work in this important area of security.