Research from Legit Security has disclosed a vulnerability in an archived Apache project. The vulnerability discovered was a dependency confusion, otherwise known as dependency hijacking or substitution attack. Researchers discovered the exploit of the Apache Cordova app harness archived open-source project in the wild, revealing that a malicious actor could utilize arbitrary code where the app is deployed to gain access to the application. This means an attack could lead to remote code execution inside of the production environment.
The researchers argue that this discovery emphasizes the importance of considering third-party dependencies in software development potential weak links. This is especially the case, the research argues, with archived open-source projects that are not often updated or patched.