Top 5 New Open Source Vulnerabilities in November 2018

Whether November brought you chilly weather, family gatherings over copious amounts of food, or both, there’s no denying editors of tech publications had their hands full with the now notorious event-stream vulnerability. A cryptocurrency security flaw – who knew? Said no-one over the past few years.

While it’s not the classic open source security vulnerability for reasons which become apparent in our write up, it’s in our database so that users can make sure they are in the clear.

So, here it is folks, our hardworking research team’s list of top 5 open source security vulnerabilities in November. The team reviewed all the new issues added to WhiteSource’s database, which are aggregated continuously from multiple sources including the National Vulnerability Database (NVD), and additional publicly available, peer-reviewed security advisories and issue trackers.

We think it’s a good read and hope you make sure to check for them in your software projects.

#1 EventStream


Vulnerability Score: Critical — 10.0

Affected versions: npm packages of event-stream version 3.3.6; and flatmap-stream versions 0.1.1 and 0.1.2

This is surely the headline grabber of the month, though not a classic open source vulnerability, but rather malware distributed on top of an open source package.

The vulnerability resides in versions of the event-stream npm package, but the malicious code specifically targeted Copay, a Bitcoin wallet platform for desktop and mobile devices, and an open source project itself.

This is where the story gets complicated: the original author and owner of the event-stream module gave the ownership to a user named “right9ctrl”, who offered to take over maintenance of the open source project which the original owner had abandoned. Right9ctrl turned out to have a malicious agenda and (Read more…)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Patricia Johnson. Read the original post at: