Composer Repository Credentials Disclosure

high Web App Scanning Plugin ID 113556

Synopsis

Composer Repository Credentials Disclosure

Description

Composer is a tool used for dependency management in PHP. It allows developers to declare the libraries their web application depends on and to manage it for them. PHP packages can be hosted on a private Composer repository, requiring authentication in order to interact with it.

When exposed, Composer private repository credentials could allow an attacker to gain read and write access to this repository, leading to to sensitive information disclosure (source code, potential hardcoded credentials...). An attacker could also leverage these credentials to conduct supply chain attacks by compromising private packages and delivering malicious code to web applications requiring it.

Solution

Ensure that the file is not tracked in the Source Code Management (SCM) tool. In case this file is still required, enforce proper permissions to avoid exposing it publicly. Exposed credentials should be considered as compromised and rotated.

See Also

https://getcomposer.org/doc/articles/authentication-for-private-packages.md

Plugin Details

Severity: High

ID: 113556

Type: remote

Published: 2/8/2023

Updated: 2/8/2023

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.1

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: High

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information