CAPEC-692: Spoof Version Control System Commit Metadata

Description
<p>An adversary spoofs metadata pertaining to a Version Control System (VCS) (e.g., Git) repository's commits to deceive users into believing that the maliciously provided software is frequently maintained and originates from a trusted source.<p>
Extended Description

Version Control Systems are widely used by developers to host, track, and manage source code files in an easy and synchronous manner. These systems are often leveraged to host open-source software that other developers can incorporate into their own applications or use as standalone applications. To prevent downloading vulnerable and/or malicious code, developers will often check the metadata of VCS repository commits to determine the repository's overall pedigree. This may include a variety of information, such as the following:

  • Owner of the repository
  • Author(s) of commits
  • Frequency of commits
  • Date/Time of commits
  • Repository activity graphs

    • These precursory checks can assist developers in determining whether a trusted individual/organization is providing the source code, how often the code is updated, and the relative popularity of the software. However, an adversary can spoof this metadata to make a repository containing malicious code appear as originating from a trusted source, being frequently maintained, and being commonly used by other developers. Without performing additional security activities, unassuming developers may be duped by this spoofed metadata and include the malicious code within their systems/applications. The adversary is then ultimately able to achieve numerous negative technical impacts, while the victim remains unaware of any malicious activity.

Severity :

High

Possibility :

Medium

Type :

Detailed
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-691: Spoof Open-Source Software Metadata Spoof Open-Source Software Metadata
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Identification of a popular open-source repository whose metadata is to be spoofed.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium Ability to spoof a variety of repository metadata to convince victims the source is trusted.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-494: Download of Code Without Integrity Check

Visit http://capec.mitre.org/ for more details.