RCE due to a dependency confusion in bits-and-blooms/bloom
Reported on
May 5th 2022
Description
Hi team,
I hope you are well. I found a dependency confusion vulnerability in this repo.
When I analyzed your repo, I found a Makefile which install a dependency : https://github.com/bits-and-blooms/bloom/blob/25ba46ef8744ddeba999dcd048dbb8b0fa87edb3/Makefile#L188
go get github.com/GoASTScanner/gas
I tested then this url and it was redirecting to https://github.com/securego/gosec. So, I tested if I can takeover the old username to cause a dependency confusion vulnerability. And this username was available to take and I take it for the PoC. But to not impact any users, I did the following step.
Proof of Concept
1.) I forked https://github.com/securego/gosec
2.) I changed the repo name from gosec to gas
3.) I changed my username from akincibor to GoASTScanner
4.) I re-changed my username from GoASTScanner to `akincibor
Now github.com/GoASTScanner/gas is redirecting to my repo github.com/akincibor/gas.
Everyone can make this url redirection to their own repo. They can also create a new Github account and take the old username without re-changing it.
Impact
As an attacker, I can host malicious content on my Github repository. I can also host an SDK or malware or a simple backdoor which can lead to an RCE because the malicious code will be installed and this is because my repo will be installed rather than the real one.
SECURITY.md
a year ago
Hi Jamie,
The issue has been fixed. May I have a CVE ?
Best regards, Akincibor
