Top 5 New Open Source Security Vulnerabilities in August 2018

August provided us with an excellent example of history repeating, in the form of a newly disclosed security vulnerability in Apache Struts 2, otherwise known as CVE-2018-11776. This vulnerability was published nearly a year after Equifax’s September 2017 announcement that they had suffered a record-breaking data breach due to a previously known Struts 2 vulnerability.

As many in the industry have been looking back and questioning whether organizations learned anything about open source security management from the notorious Equifax fiasco, the latest Struts 2 vulnerability got its share of headlines. However, while that vulnerability should certainly be taken seriously, tens of other new open source security issues were published this August, and they deserve just as much attention.

Our tenacious research team has gone over the data and put together a list of the top 5 new known open source security vulnerabilities published in August. The data is aggregated by the WhiteSource database, which is updated continuously from the National Vulnerability Database (NVD), as well as several additional publicly available, peer-reviewed security advisories and issue trackers.

While many security vulnerabilities are listed in the NVD, too few of us know that only 86% of reported open source vulnerabilities appear in the NVD. That’s why the WhiteSource database covers multiple sources besides the database, and it’s the reason this list includes both vulnerabilities from the CVE index and from the WS database, that have yet to be added to the CVE lists.

To add to the headline-winning Struts 2 vulnerability, August’s top 5 list of vulnerable open source components has some OG favorites everyone is most probably using, and other newer open source tools and frameworks to help the kids with all their new web applications. Either way, take care of your Struts but (Read more…)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Patricia Johnson. Read the original post at: