Top 5 New Open Source Security Vulnerabilities in May 2018

Summer is officially here, reminding us once again to appreciate the air conditioned offices that allow us to aggregate and track open source security vulnerabilities without breaking into a sweat.

Another gift that comes with the end of May is our list of top 5 new open source vulnerabilities that were published in May.

We’ve put together a list of May’s top 5 new known open source security vulnerabilities, aggregated by the WhiteSource database, which is updated continuously from the National Vulnerability Database (NVD), and of course a wide number of open source publicly available, peer-reviewed security advisories.

Our top 5 list of projects hit by vulnerabilities this month consists of old favorites and some newcomers. Some of them were published in the NVD and some were made public in less popular trackers.

You might be surprised to see that some of these tools and libraries are being used by you and your team daily. Some of this month’s vulnerabilities are embedded deep within the infrastructure of the communication networks we use all day.


#1 macaddress


Vulnerability Score: Critical — 10

Affected versions: All

Node-macaddress, an open source module that retrieves MAC addresses in Linux, OS X, and Windows, and is now vulnerable to command injection attacks.

The node-macaddress library allows users to locate the MAC address per network interface and chooses an appropriate interface if a user is interested in a specific MAC address identifying the host system.

An extremely popular library, node-macaddress averages over 900,000 weekly downloads. That leaves a whole lot of systems very vulnerable to command injection attacks.

Unfortunately, so far no fix is available for this vulnerability. At this time, researchers recommend to not install or use this module until a fix is provided.

You might have noticed that the vulnerability ID (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Patricia Johnson. Read the original post at: