Top 5 Open Source Vulnerabilities for April 2019

April showers may bring May flowers, but they also bring with them some real doozies when it comes to open source vulnerabilities.

Spring is in the air, but our hard-working knowledge team at WhiteSource is still at it, seeking out the open source vulnerabilities that the public needs to know are out there.

The WhiteSource database continuously collects known open source security vulnerabilities from a number of well-respected community resources like the National Vulnerability Database (NVD), and other public, peer-reviewed security advisories, and issue trackers.

This month’s list brings us some serious vulnerabilities in projects that we know you’re probably using. So let’s not waste any time and get down to it. Happy reading and don’t forget to update your software when you’re done.

CGI Servlet in Apache Tomcat


CVSS V2 9.3

Affected Versions: 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93

Coming at the top-rated CVSS rating of the month (you can breathe east team, no 10s this time around) is a particularly nasty vulnerability in one of our favorite projects.

We have learned that when running on Windows with enableCmdLineArguments enabled, the Common Gateway Interface (CGI) Servlet in Apache Tomcat (versions 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93) is vulnerable to a Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows.

In order to make this attack work, the target needs to be running on Windows in a non-default configuration while in conjunction with batch files. When these conditions match up, it can lead to an input (Read more…)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Patricia Johnson. Read the original post at: