Autumn is officially upon us. While some take time this season to stock up on pumpkin spice and Halloween decorations, our Knowledge Team dove into the really scary stuff — reviewing the new open source security vulnerabilities published in September.
In order to deliver our monthly top five new security vulnerabilities list, our fearless Knowledge Team combed through the WhiteSource database. This extensive database continuously collects published open source security vulnerabilities from a number of well-respected community sources like the National Vulnerability Database (NVD), peer-reviewed security advisories, and issue trackers so that we can provide the most comprehensive info about known open source security vulnerabilities and their fixes.
September’s top 5 list of new open source vulnerabilities covers a wide range of open source projects, from back-end and operating systems, to programming languages, front-end and API development tools. If you’re developing software, then there’s a good chance you are directly or indirectly using one of the projects on this list.
So, without further ado, here are September’s scariest top 5 new open source security vulnerabilities.
Affected versions: 7.52.0 to 7.65.3
Affected versions: 7.19.4 to 7.65.3
Vulnerability Score: Critical — 9.8
We’ve got a two-for-one for you this month with this pair of highly critical issues discovered in cURL, the popular C-based URL transfer library.
The first curl issue, CVE-2019-5481, is a double-free vulnerability in the FTP-kerberos code. According to the curl security advisory, “vulnerable versions of libcurl can be told to use kerberos over FTP to a server, as set with the CURLOPT_KRBLEVEL option.”
The second curl issue, otherwise known as CVE-2019-5482, is a critical heap buffer overflow vulnerability in curl’s TFTP protocol handler.
*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Patricia Johnson. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/top-5-new-open-source-vulnerabilities-in-september-2019