Top 5 New Open Source Security Vulnerabilities in May 2019

May brought us the full bloom of spring, a long Memorial Day weekend, and some nasty open source vulnerabilities, along with just a touch of drama in the open source community.

Now that May is behind us, our hard-working Knowledge Team braved the spring allergies and put together our monthly list of top new open source security vulnerabilities in May, aggregated by our very own WhiteSource open source vulnerabilities database.

The WhiteSource database continuously collects known open source security vulnerabilities from multiple resources like the National Vulnerability Database (NVD), and several other well-respected public, peer-reviewed security advisories, and issue trackers.

Spoiler alert: May’s top 5 list includes vulnerabilities discovered in some of the most widely used open source components out there, and also sheds a bit of light (or shade, if you will) on some of the challenges open source project maintainers have to deal with.

So, here they are folks, hold on to your seats and read all about the top 5 new open source vulnerabilities in May.

#1 SQLite

CVE-2019-8457

Vulnerability Score: Critical — 9.8

Affected versions: from 3.6.0 to and including 3.27.2

A critical security vulnerability was discovered in SQLite3 versions 3.6.0 up to and including 3.27.2. A boundary condition in rtreenode() function, when handling invalid rtree tables, could allow remote attackers to send a specially crafted request to the application, and trigger heap out-of-bounds Read (CWE-125) to crash it.

You can read more about the issue and its fix in SQLite’s release notes for 3.28.0, and advisory.

SQLite is a C-language library that implements an SQL database engine. According to their site, SQLite is the most widely deployed Database Engine in the world, (Read more…)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Patricia Johnson. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/top-5-open-source-vulnerabilities-for-may-2019