Top 5 New Open Source Security Vulnerabilities in September 2018

New Open Source Security Vulnerabilities in September 2018

September is officially the start of autumn, and we are here to celebrate the end of summer with our list of top 5 new open source vulnerabilities in September. This past month’s Top 5 might surprise you, as it includes vulnerabilities that have actually been around for quite a while — but not on the NVD. Once again, the de-centeralized and  collaborative nature of the hardworking open source community provides consistent and efficient security coverage, just as long as you know where to look.

Our hardworking research crew has reviewed all of the open source vulnerabilities published this September and put together a list of September’s Top 5 new known open source security vulnerabilities. The data is aggregated by WhiteSource’s comprehensive database, updated continuously from the National Vulnerability Database (NVD), as well as other publicly available, peer-reviewed security advisories and issue trackers.

Since not all reported open source vulnerabilities appear in the NVD, the WhiteSource database covers several other sources. That’s the reason this list includes vulnerabilities from the CVE index as well as vulnerabilities from the WS database, that haven’t been added to the CVE lists.

The list below tells you what you need to know about the top vulnerabilities to hit in September, you can use the WhiteSource Vulnerability Checker to see if they are in one of your projects.


#1 Node.js tough-cookie


Vulnerability Score: Medium — 5.3

Affected versions: version 2.2.2

This affected version of NodeJS tough-cookie contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing. This could be exploited by hackers for a Denial of Service attack, using a custom HTTP header passed by a client.

Tough Cookie, RFC6265 Cookies and CookieJar for Node.js, is an extremely popular (Read more…)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Ayala Goldstein. Read the original post at: