Most Critical Flaw:
Shawn Smith, director of infrastructure at application security vendor nVisium, agreed, saying that of the three, “only one of them is extremely dangerous.”
“Using GitHub Actions to leak a token with write permissions to pypa/warehouse is serious and could have been used to introduce arbitrary code changes that contained more nefarious things,” Smith told eSecurity Planet. “The other two vulnerabilities are certainly not to be overlooked, but in the grand scheme of things, they aren’t critically concerning.”
He said the fact that one of the flaws could be used to delete what’s described as legacy documentation likely wouldn’t cripple a business. While the other could be used to remove roles on PyPi projects, “these roles are non-enumerable UUIDs [universally unique identifiers] that the attacker won’t know, so it’s fairly unlikely that a targeted attack could have been performed before the patch.”
Python Security Under Scrutiny:
Developers using the Python programming languages should expect more scrutiny from security researchers and bad actors alike, Smith said.
“The more popular a particular programming language is, the more an attacker stands to gain by exploiting it,” he said. “Python is one of the most popular scripting languages in the world, so, combine this with the fact that it has a very extensive repository of different packages that you can install, and it becomes a very alluring target to exploit.”
Use Version-locked Dependencies:
Both Schrader and Smith said enterprises need to become more savvy about the software repositories they tap into and to monitor closely the packages they use, either by doing the monitoring themselves or having a service provider do it for them.
“Supply chain attacks are becoming increasingly common, so organizations should start including an audit of their software dependencies in their own individual software audits,” Smith said. “While those dependencies may not be something an organization directly maintains, the security issues that may be present in them do directly affect one’s own security posture.”
In addition, he said, “developers should be using version-locked dependencies to prevent accidental auto-updating to a potentially compromised dependency. At the same time, security teams should be “actively monitoring the dependencies in use for issues and alert the development teams, as necessary.”