GSD-2022-1002522

Source

https://github.com/cloudsecurityalliance/gsd-database/blob/main/2022/1002xxx/GSD-2022-1002522.json

Published

2022-05-24T17:10:11.663637Z

Modified

2022-05-24T17:10:11.663637Z

Details

In PHP phpass version 0.3.x-dev, 0.3.x a backdoor exists in the phpass package that can be attacked via malicious package update resulting in credential theft

References

• https://sockpuppets.medium.com/how-i-hacked-ctx-and-phpass-modules-656638c6ec5e
• https://isc.sans.edu/diary/28678
• https://github.com/github/advisory-database/issues/325
• https://status.python.org/incidents/s8vm6pwr46c2
• https://blog.sonatype.com/pypi-package-ctx-compromised-are-you-at-risk