Top 5 New Open Source Vulnerabilities for February 2018

Top 5 New Open Source Vulnerabilities in February 2018

Some things never change. For starters, February began with Punxsutawney Phil, the hero of Groundhog Day, once again coming out of hibernation to give us his much awaited prediction for the start of spring. No use in sugarcoating it folks, we still have a ways to go. Meanwhile, the open source community didn’t have the luxury of winter hibernation, seeing as  new open source vulnerabilities don’t wait for spring.

That brings us to this months top 5 new open source security vulnerabilities, aggregated from the National Vulnerability Database (NVD) as well as our own WhiteSource database, updated daily from a number of open source publicly available, peer-reviewed security advisories.

Some of the projects hit this February have been featured in our previous monthly updates, and some are unfortunate newcomers to the list. The good news is that all of the vulnerabilities have fixes, so without further ado, here are the top 5 new open source vulnerabilities that we should all be checking our projects for.

#1 Jenkins

CVE-2017-1000354 Vulnerability score: High — 8.8

CVE-2017-1000355 Vulnerability score: Medium — 6.5

CVE-2017-1000356 Vulnerability score: High — 8.8

Affected versions: 2.56 and earlier as well as 2.46.1 LTS and earlier

This three-for-one special is handed to us courtesy of our beloved open source CI server.

Continuous Integration has become a fundamental process in the software development environment, and Jenkins — the Java-based, open source CI server, is one of the most popular ones out there. Happy users cite the fact that Jenkins is a cross-platform tool, and that it offers configuration both through GUI interface and console commands. Users also like that thanks to its large open source community, Jenkins offers flexibility, a comprehensive plugin list, and (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Blog – WhiteSource. Read the original post at: